Playbook: Vulnerability Exploitation¶

ID: PB-18 Severity: High/Critical | Category: Vulnerability Management MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution) Trigger: IDS/IPS alert, EDR detection, vulnerability scan, TI advisory, WAF block

Exploit Lifecycle¶

graph LR
    Disc["🔍 Vuln Discovered"] --> PoC["💻 Public PoC"]
    PoC --> Wild["🌐 In-the-Wild"]
    Wild --> Patch["🩹 Vendor Patch"]
    Patch --> Apply["✅ Patch Applied"]
    style Disc fill:#3498db,color:#fff
    style Wild fill:#e74c3c,color:#fff
    style Apply fill:#27ae60,color:#fff

Virtual Patching Flow¶

sequenceDiagram
    participant SOC
    participant WAF
    participant Dev as Dev Team
    SOC->>WAF: Create virtual patch rule
    WAF-->>SOC: ✅ Rule active
    SOC->>Dev: Notify vulnerability + CVE
    Dev->>Dev: Fix source code
    Dev->>SOC: Deployed fix
    SOC->>WAF: Remove virtual patch

Decision Flow¶

graph TD
    Alert["🚨 Exploit Attempt Detected"] --> CVE["🔍 Identify CVE"]
    CVE --> Vuln{"🎯 Is Target Vulnerable?"}
    Vuln -->|Patched / Not Affected| Attempt["🟡 Blocked Attempt"]
    Vuln -->|Vulnerable| Response{"📊 Exploit Successful?"}
    Response -->|200 OK / Shell / Payload| Success["🔴 Successful Exploitation"]
    Response -->|Blocked (403/Drop)| Attempt
    Response -->|Error (500)| Partial["🟠 Investigate Further"]
    Attempt --> Block["🚫 Block Attacker IP"]
    Success --> Type{"💥 Exploit Impact?"}
    Type -->|RCE| RCE["🚨 Isolate + Major Response"]
    Type -->|Info Disclosure| Info["🛡️ Block + Patch"]
    Type -->|DoS| DoS["⚙️ Mitigate + Patch"]
    Partial --> Type
    RCE --> FullIR["Full Incident Response"]

1. Analysis¶

1.1 CVE / Vulnerability Identification¶

Check	How	Done
Identify CVE number from alert/signature	IPS/IDS/WAF	☐
Check CVSS score and severity	NVD, vendor advisory	☐
Is it in CISA KEV (Known Exploited Vulnerabilities)?	CISA KEV	☐
Is public PoC exploit available?	GitHub, ExploitDB	☐
Check if active exploitation in the wild	TI feeds, advisories	☐

1.2 Target Assessment¶

Check	How	Done
Is the target system affected? (version/config)	CMDB, vulnerability scanner	☐
Is the vulnerable service exposed externally?	Firewall rules, Shodan	☐
What is the asset criticality?	CMDB, business context	☐
Is the target already patched?	Patch management system	☐
Were compensating controls in place? (WAF, segmentation)	Security architecture	☐

1.3 Exploitation Evidence¶

Evidence	What to Look For	Done
Network payload	Exploit signature in IPS/IDS logs	☐
Server response	Success indicators (reverse shell, data leak)	☐
Process creation	New processes spawned after exploit	☐
File creation	Web shells, payloads dropped to disk	☐
Outbound connections	C2 callbacks from exploited server	☐
Post-exploitation	Credential dumping, lateral movement	☐

2. Containment¶

2.1 Exploit Attempt (Blocked)¶

#	Action	Tool	Done
1	Block attacker IP	Firewall	☐
2	Update IPS/WAF signatures	IPS / WAF	☐
3	Alert vulnerability management to prioritize patching	Ticket	☐

2.2 Successful Exploitation¶

#	Action	Tool	Done
1	Isolate exploited system immediately	EDR / Firewall	☐
2	Block attacker IP and any C2 indicators	Firewall	☐
3	Apply virtual patch at WAF/IPS	WAF / IPS	☐
4	Disable vulnerable service if possible	System admin	☐
5	Capture memory dump and disk image	Forensics	☐
6	Check for lateral movement from exploited host	PB-12	☐

2.3 Zero-Day (No Patch Available)¶

#	Action	Done
1	Apply workaround from vendor advisory (disable feature, config change)	☐
2	Deploy custom WAF/IPS rule for exploit pattern	☐
3	Segment affected systems from network	☐
4	Enable enhanced monitoring / logging	☐
5	Report to vendor and request emergency patch	☐

3. Eradication¶

#	Action	Done
1	Apply official patch from vendor	☐
2	Remove any web shells, backdoors, or dropped payloads	☐
3	Reset credentials on the exploited system	☐
4	Scan for other vulnerable instances in environment	☐
5	Check for persistence mechanisms installed by attacker	☐

4. Recovery¶

#	Action	Done
1	Run vulnerability scan to confirm patch applied	☐
2	Test application functionality after patching	☐
3	Reconnect system to network in stages	☐
4	Monitor for re-exploitation attempts for 72 hours	☐
5	Update asset inventory with patch status	☐

5. IoC Collection¶

Type	Value	Source
CVE Number		IPS / Advisory
Attacker IP		Firewall / IPS
Exploit Payload		IPS / WAF logs
Target System		Alert
Dropped Files (hash)		EDR / Forensics
C2 Indicators		Network logs
Post-exploitation Tools		EDR

6. Escalation Criteria¶

Condition	Escalate To
RCE with confirmed shell	CISO + Major Incident
Zero-day (no patch available)	CISO + Vendor + CERT
Critical infrastructure (DB, DC) exploited	CISO immediately
CISA KEV vulnerability actively exploited	Vulnerability Management + SOC Lead
Multiple systems exploited	Major Incident
Data breach through exploitation	PB-08 + Legal

Exploit Severity Classification¶

graph TD
    Vuln["🔓 Vulnerability"] --> CVSS{"📊 CVSS?"}
    CVSS -->|9.0+| Critical["🔴 Critical — patch 24h"]
    CVSS -->|7.0-8.9| High["🟠 High — patch 7d"]
    CVSS -->|4.0-6.9| Medium["🟡 Medium — patch 30d"]
    CVSS -->|Under 4.0| Low["🟢 Low — next cycle"]
    Critical --> Weaponized{"⚔️ Weaponized?"}
    Weaponized -->|Yes| Emergency["🚨 Emergency patch NOW"]
    Weaponized -->|No| Critical
    style Emergency fill:#c0392b,color:#fff
    style Critical fill:#e74c3c,color:#fff

Virtual Patching Architecture¶

graph LR
    Traffic["🌐 Traffic"] --> WAF["🛡️ WAF"]
    WAF --> VPatch["📋 Virtual Patch Rule"]
    VPatch -->|Match| Block["❌ Block"]
    VPatch -->|No match| App["📱 App"]
    App --> IPS["🔍 IPS"]
    IPS -->|Signature| Alert["🚨 Alert"]
    style WAF fill:#27ae60,color:#fff
    style Block fill:#e74c3c,color:#fff

Detection Rules (Sigma)¶

Rule	File
WAF Detected Exploit Attempt	web_waf_exploit.yml
Execution from Temp/Downloads	proc_temp_folder_execution.yml