T1588.006: Vulnerabilities
Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.[1]
An adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. Exploits) or to attempt to develop one themselves (i.e. Exploits).
Analyst context for executives and security teams
This technique is about adversaries acquiring vulnerability information before an operation. The business risk is not the database lookup itself; it is the timing advantage attackers gain when they track new disclosures, closed vulnerability sources, or research targets faster than an organization can assess exposure and reduce risk.
Executive priority
Treat this as a test of vulnerability management speed, external exposure awareness, and pre-compromise readiness. Leaders should ask whether the organization can rapidly map newly disclosed vulnerabilities to owned assets, prioritize internet-facing and business-critical systems, and produce evidence that risk decisions were made before an incident. The related ATT&CK context connects this behavior to resource development and to multiple threat actors and campaigns, so it should inform budget and governance around threat intelligence, vulnerability prioritization, and attack surface reduction.
Technical view
For SOC, IR, and detection engineering teams, this is a PRE-platform, resource-development behavior with no official ATT&CK detection text supplied. Validation should therefore focus less on endpoint alerts and more on whether intelligence, vulnerability management, and exposure data can show when a relevant vulnerability became known, which assets were affected, and what action was taken. The sub-technique sits under Obtain Capabilities, and the official description links acquired vulnerability information to later exploit acquisition or exploit development, so defenders should connect vulnerability-intelligence workflows with downstream detection and response planning.
Likely telemetry
- Vulnerability intelligence sources and disclosure feeds, including open vulnerability databases such as NVD
- Asset inventory and ownership records used to map vulnerabilities to systems
- External attack surface and internet-facing service inventories
- Vulnerability scanner results and remediation status
- Patch, exception, and risk-acceptance records
Detection direction
- Because ATT&CK provides no official detection text for this object, validate process coverage rather than assuming a direct alert exists.
- Use the related DET0808 detection strategy as a prompt to confirm whether vulnerability-related intelligence is collected, normalized, and tied to asset exposure.
- Tune prioritization around newly disclosed vulnerabilities, externally exposed assets, and business-critical systems rather than treating every CVE equally.
- Check for blind spots where vulnerability data is not linked to asset ownership, cloud or external exposure, patch status, or incident-response playbooks.
- Avoid over-interpreting public vulnerability research as malicious activity; false positives are likely if normal research, vendor advisories, and defensive scanning are not distinguished from adversary preparation.
Mitigation priorities
- Apply the related M1056 Pre-compromise mitigation direction: reduce attack surface before adversaries can use vulnerability knowledge operationally.
- Maintain current asset and exposure inventories so new vulnerability information can be translated into organizational risk quickly.
- Prioritize remediation for exposed and critical systems, with documented exceptions and compensating controls where patching is delayed.
- Limit unnecessary public information that makes vulnerable systems or research targets easier to identify.
- For organizations conducting vulnerability research, review access controls and monitoring around repositories, databases, and communications that may contain non-public vulnerability information.
Analyst notes and limits
The relationship context shows this behavior associated with the parent technique Obtain Capabilities and with named groups/campaigns including Leviathan Australian Intrusions, Sandworm Team, Volt Typhoon, and Storm-0501. That context supports treating vulnerability intelligence as a strategic pre-compromise concern across different threat types, but it does not prove current targeting or exposure for any specific organization.
The supplied ATT&CK object has no official detection guidance and only the PRE platform. Local evidence is required to determine whether relevant vulnerabilities affect the environment, whether telemetry exists, and whether controls are effective. This take does not claim active exploitation, attribution, or guaranteed detection coverage.
Vulnerabilities
Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.[1]
An adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. Exploits) or to attempt to develop one themselves (i.e. Exploits).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1588 | Obtain Capabilities | This object subtechnique of Obtain Capabilities. |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
G1017: Volt Typhoon
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].
Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]
G1053: Storm-0501
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]
C0049: Leviathan Australian Intrusions
Leviathan Australian Intrusions consisted of at least two long-term intrusions against victims in Australia by Leviathan, relying on similar tradecraft such as external service exploitation followed by extensive credential capture and re-use to enable privilege escalation and lateral movement. Leviathan Australian Intrusions were focused on exfiltrating sensitive data including valid credentials for the victim organizations.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6d2804db599b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
National Vulnerability Database
National Vulnerability Database. (n.d.). National Vulnerability Database. Retrieved October 15, 2020.
Open source URL -
[2]
mitre-attack T1588.006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.