Sync Collecting Detection Rules: Sat May 16 22:24:13 UTC 2026

Signed-off-by: AboutCode Automation <automation@aboutcode.org>

Author: aboutcode-automation

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Exploit for CVE-2017-0261\nid: 864403a1-36c9-40a2-a982-4c9a45f7d833\nstatus: test\ndescription: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits\n  for CVE-2017-0261 and CVE-2017-0262\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-02-22\nmodified: 2021-11-27\ntags:\n- attack.execution\n- attack.t1203\n- attack.t1204.002\n- attack.initial-access\n- attack.t1566.001\n- cve.2017-0261\n- detection.emerging-threats\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\WINWORD.EXE\n    Image|contains: \\FLTLDR.exe\n  condition: selection\nfalsepositives:\n- Several false positives identified, check for suspicious file names or locations\n  (e.g. Temp folders)\nlevel: medium\n",
             "vulnerabilities": [
-                "CVE-2017-0261",
-                "CVE-2017-0262"
+                "CVE-2017-0262",
+                "CVE-2017-0261"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.json

@@ -11,9 +11,9 @@
             },
             "rule_text": "title: CVE-2020-0688 Exploitation via Eventlog\nid: d6266bf5-935e-4661-b477-78772735a7cb\nstatus: test\ndescription: Detects the exploitation of Microsoft Exchange vulnerability as described\n  in CVE-2020-0688\nreferences:\n- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/\n- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/\nauthor: Florian Roth (Nextron Systems), wagga\ndate: 2020-02-29\nmodified: 2022-12-25\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2020-0688\n- detection.emerging-threats\nlogsource:\n  product: windows\n  service: application\ndetection:\n  selection1:\n    EventID: 4\n    Provider_Name: MSExchange Control Panel\n    Level: Error\n  selection2:\n  - '&__VIEWSTATE='\n  condition: all of selection*\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
+                "CVE-2021-24085",
                 "CVE-2020-16875",
-                "CVE-2020-0688",
-                "CVE-2021-24085"
+                "CVE-2020-0688"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2020/Exploits/CVE-2020-8193/web_cve_2020_8193_8195_citrix_exploit.json

@@ -12,8 +12,8 @@
             "rule_text": "title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195\nid: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7\nstatus: test\ndescription: Detects exploitation attempt against Citrix Netscaler, Application Delivery\n  Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193\n  and CVE-2020-8195\nreferences:\n- https://support.citrix.com/article/CTX276688\n- https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/\n- https://dmaasland.github.io/posts/citrix.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-10\nmodified: 2023-01-02\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2020-8193\n- cve.2020-8195\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  selection1:\n    cs-uri-query|contains: /rapi/filedownload?filter=path:%2F\n  selection2:\n    cs-uri-query|contains|all:\n    - /pcidss/report\n    - type=all_signatures\n    - sig_name=_default_signature_\n  condition: 1 of selection*\nfalsepositives:\n- Unknown\nlevel: critical\n",
             "vulnerabilities": [
                 "CVE-2020-8193",
-                "CVE-2020-8195",
-                "CVE-2020-8196"
+                "CVE-2020-8196",
+                "CVE-2020-8195"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/zeek_dce_rpc_exploit_cve_2021_1675_printnightmare_print_driver_install.json

@@ -12,8 +12,8 @@
             "rule_text": "title: Possible PrintNightmare Print Driver Install - CVE-2021-1675\nid: 7b33baef-2a75-4ca3-9da4-34f9a15382d8\nrelated:\n- id: 53389db6-ba46-48e3-a94c-e0f2cefe1583\n  type: derived\nstatus: stable\ndescription: 'Detects the remote installation of a print driver which is possible\n  indication of the exploitation of PrintNightmare (CVE-2021-1675).\n\n  The occurrence of print drivers being installed remotely via RPC functions should\n  be rare, as print drivers are normally installed locally and or through group policy.\n\n  '\nreferences:\n- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29\n- https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek\n- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\n- https://github.com/corelight/CVE-2021-1675\n- https://old.zeek.org/zeekweek2019/slides/bzar.pdf\n- https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/\nauthor: '@neu5ron (Nate Guagenti)'\ndate: 2021-08-23\nmodified: 2025-11-03\ntags:\n- attack.execution\n- cve.2021-1678\n- cve.2021-1675\n- cve.2021-34527\n- detection.emerging-threats\nlogsource:\n  product: zeek\n  service: dce_rpc\ndetection:\n  selection:\n    operation:\n    - RpcAsyncInstallPrinterDriverFromPackage\n    - RpcAsyncAddPrintProcessor\n    - RpcAddPrintProcessor\n    - RpcAddPrinterDriverEx\n    - RpcAddPrinterDriver\n    - RpcAsyncAddPrinterDriver\n  condition: selection\nfalsepositives:\n- Legitimate remote alteration of a printer driver.\nlevel: medium\n",
             "vulnerabilities": [
                 "CVE-2021-1675",
-                "CVE-2021-34527",
-                "CVE-2021-1678"
+                "CVE-2021-1678",
+                "CVE-2021-34527"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-20090/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Arcadyan Router Exploitations\nid: f0500377-bc70-425d-ac8c-e956cd906871\nstatus: test\ndescription: Detects exploitation of vulnerabilities in Arcadyan routers as reported\n  in CVE-2021-20090 and CVE-2021-20091.\nreferences:\n- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2\n- https://www.tenable.com/security/research/tra-2021-13\n- https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild\nauthor: Bhabesh Raj\ndate: 2021-08-24\nmodified: 2023-01-02\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2021-20090\n- cve.2021-20091\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  path_traversal:\n    cs-uri-query|contains: ..%2f\n  config_file_inj:\n    cs-uri-query|contains|all:\n    - ..%2f\n    - apply_abstract.cgi\n  noauth_list:\n    cs-uri-query|contains:\n    - /images/\n    - /js/\n    - /css/\n    - /setup_top_login.htm\n    - /login.html\n    - /loginerror.html\n    - /loginexclude.html\n    - /loginlock.html\n  condition: (path_traversal or config_file_inj) and noauth_list\nfalsepositives:\n- Unknown\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-20091",
-                "CVE-2021-20090"
+                "CVE-2021-20090",
+                "CVE-2021-20091"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential CVE-2021-26084 Exploitation Attempt\nid: 38825179-3c78-4fed-b222-2e2166b926b1\nstatus: test\ndescription: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using\n  OGNL injection\nreferences:\n- https://github.com/TesterCC/exp_poc_library/blob/be61622600ec79d8fba2fa5f816a870715f0cb3b/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md\n- https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md\n- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n- https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/\nauthor: Sittikorn S, Nuttakorn T\ndate: 2022-12-13\nmodified: 2023-03-24\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2021-26084\n- detection.emerging-threats\nlogsource:\n  category: webserver\n  definition: 'Requirements: The POST request body data must be collected in order\n    to make use of certain parts of this detection'\ndetection:\n  selection_main:\n    cs-method: POST\n    sc-status: 200\n    cs-username: anonymous\n  selection_exploit_1:\n    cs-uri-query|contains|all:\n    - /pages/createpage-entervariables.action\n    - SpaceKey=x\n  selection_exploit_2_uri:\n    cs-uri-query|contains: /doenterpagevariables.action\n  selection_exploit_2_keyword:\n  - u0027\n  condition: selection_main and (selection_exploit_1 or all of selection_exploit_2_*)\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2021-26084",
-                "CVE-2021-260841"
+                "CVE-2021-260841",
+                "CVE-2021-26084"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-29799/lnx_exploit_cve_2022_27999_cve_2022_27800.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential Nimbuspwn Exploit CVE-2022-29799 and CVE-2022-27800\nid: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8\nstatus: test\ndescription: 'Detects potential exploitation attempts of Nimbuspwn vulnerabilities\n  CVE-2022-29799 and CVE-2022-27800 in Linux systems.\n\n  '\nreferences:\n- https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/\n- https://github.com/Immersive-Labs-Sec/nimbuspwn\nauthor: Bhabesh Raj\ndate: 2022-05-04\nmodified: 2025-11-03\ntags:\n- attack.privilege-escalation\n- attack.t1068\n- detection.emerging-threats\n- cve.2022-29799\n- cve.2022-27800\nlogsource:\n  product: linux\ndetection:\n  keywords:\n    '|all':\n    - networkd-dispatcher\n    - Error handling notification for interface\n    - ../../\n  condition: keywords\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2022-29799",
-                "CVE-2022-27800"
+                "CVE-2022-27800",
+                "CVE-2022-29799"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-33891/proc_creation_lnx_exploit_cve_2022_33891_spark_shell_command_injection.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Apache Spark Shell Command Injection - ProcessCreation\nid: c8a5f584-cdc8-42cc-8cce-0398e4265de3\nstatus: test\ndescription: Detects attempts to exploit an apache spark server via CVE-2014-6287\n  from a commandline perspective\nreferences:\n- https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py\n- https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html\n- https://github.com/apache/spark/pull/36315/files\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-20\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2022-33891\n- detection.emerging-threats\nlogsource:\n  product: linux\n  category: process_creation\ndetection:\n  selection:\n    ParentImage|endswith: \\bash\n    CommandLine|contains:\n    - id -Gn `\n    - id -Gn '\n  condition: selection\nfalsepositives:\n- Unlikely\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2022-33891",
-                "CVE-2014-6287"
+                "CVE-2014-6287",
+                "CVE-2022-33891"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Apache Spark Shell Command Injection - Weblogs\nid: 1a9a04fd-02d1-465c-abad-d733fd409f9c\nstatus: test\ndescription: Detects attempts to exploit an apache spark server via CVE-2014-6287\n  from a weblogs perspective\nreferences:\n- https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py\n- https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html\n- https://github.com/apache/spark/pull/36315/files\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-19\nmodified: 2023-01-02\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2022-33891\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  selection:\n    cs-uri-query|contains: ?doAs=`\n  condition: selection\nfalsepositives:\n- Web vulnerability scanners\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2022-33891",
-                "CVE-2014-6287"
+                "CVE-2014-6287",
+                "CVE-2022-33891"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential CVE-2303-36884 URL Request Pattern Traffic\nid: d9365e39-febd-4a4b-8441-3ca91bb9d333\nstatus: test\ndescription: Detects a specific URL pattern containing a specific extension and parameters\n  pointing to an IP address. This pattern was seen being used by RomCOM potentially\n  exploiting CVE-2023-36884\nreferences:\n- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit\nauthor: X__Junior\ndate: 2023-07-12\ntags:\n- attack.command-and-control\n- cve.2023-36884\n- detection.emerging-threats\nlogsource:\n  category: proxy\ndetection:\n  selection:\n    cs-method: GET\n    c-uri|re: \\.(zip|asp|htm|url|xml|chm|mht|vbs|search-ms)\\?d=[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2303-36884",
-                "CVE-2023-36884"
+                "CVE-2023-36884",
+                "CVE-2303-36884"
             ]
         }
     ]