Sync Collecting Detection Rules: Sat May 16 08:29:40 UTC 2026

Signed-off-by: AboutCode Automation <automation@aboutcode.org>

Author: aboutcode-automation

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Exploit for CVE-2017-0261\nid: 864403a1-36c9-40a2-a982-4c9a45f7d833\nstatus: test\ndescription: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits\n  for CVE-2017-0261 and CVE-2017-0262\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-02-22\nmodified: 2021-11-27\ntags:\n- attack.execution\n- attack.t1203\n- attack.t1204.002\n- attack.initial-access\n- attack.t1566.001\n- cve.2017-0261\n- detection.emerging-threats\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\WINWORD.EXE\n    Image|contains: \\FLTLDR.exe\n  condition: selection\nfalsepositives:\n- Several false positives identified, check for suspicious file names or locations\n  (e.g. Temp folders)\nlevel: medium\n",
             "vulnerabilities": [
-                "CVE-2017-0262",
-                "CVE-2017-0261"
+                "CVE-2017-0261",
+                "CVE-2017-0262"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2020-0688 Exploitation via Eventlog\nid: d6266bf5-935e-4661-b477-78772735a7cb\nstatus: test\ndescription: Detects the exploitation of Microsoft Exchange vulnerability as described\n  in CVE-2020-0688\nreferences:\n- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/\n- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/\nauthor: Florian Roth (Nextron Systems), wagga\ndate: 2020-02-29\nmodified: 2022-12-25\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2020-0688\n- detection.emerging-threats\nlogsource:\n  product: windows\n  service: application\ndetection:\n  selection1:\n    EventID: 4\n    Provider_Name: MSExchange Control Panel\n    Level: Error\n  selection2:\n  - '&__VIEWSTATE='\n  condition: all of selection*\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2021-24085",
                 "CVE-2020-16875",
+                "CVE-2021-24085",
                 "CVE-2020-0688"
             ]
         }

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_exploit_cve_2021_34527_print_nightmare.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection\nid: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561\nstatus: stable\ndescription: Detects the suspicious file that is created from PoC code against Windows\n  Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare),\n  CVE-2021-1675 .\nreferences:\n- https://twitter.com/mvelazco/status/1410291741241102338\n- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675\n- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\nauthor: Sittikorn S, Nuttakorn T, Tim Shelton\ndate: 2021-07-01\nmodified: 2023-10-23\ntags:\n- attack.privilege-escalation\n- attack.stealth\n- attack.t1055\n- detection.emerging-threats\n- cve.2021-34527\n- cve.2021-1675\nlogsource:\n  category: antivirus\ndetection:\n  selection:\n    Filename|contains: :\\Windows\\System32\\spool\\drivers\\x64\\\n  keywords:\n  - File submitted to Symantec\n  condition: selection and not keywords\nfalsepositives:\n- Unlikely, or pending PSP analysis\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-1675",
-                "CVE-2021-34527"
+                "CVE-2021-34527",
+                "CVE-2021-1675"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/image_load_exploit_cve_2021_1675_spoolsv_dll_load.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Windows Spooler Service Suspicious Binary Load\nid: 02fb90de-c321-4e63-a6b9-25f4b03dfd14\nstatus: test\ndescription: 'Detect DLL Load from Spooler Service backup folder. This behavior has\n  been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675\n  and CVE-2021-34527 (PrinterNightmare).\n\n  '\nreferences:\n- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/\n- https://github.com/ly4k/SpoolFool\nauthor: FPT.EagleEye, Thomas Patzke (improvements)\ndate: 2021-06-29\nmodified: 2022-06-02\ntags:\n- attack.persistence\n- attack.privilege-escalation\n- attack.execution\n- attack.stealth\n- attack.t1574\n- cve.2021-1675\n- cve.2021-34527\n- detection.emerging-threats\nlogsource:\n  category: image_load\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\spoolsv.exe\n    ImageLoaded|contains:\n    - \\Windows\\System32\\spool\\drivers\\x64\\3\\\n    - \\Windows\\System32\\spool\\drivers\\x64\\4\\\n    ImageLoaded|endswith: .dll\n  condition: selection\nfalsepositives:\n- Loading of legitimate driver\nlevel: informational\n",
             "vulnerabilities": [
-                "CVE-2021-1675",
-                "CVE-2021-34527"
+                "CVE-2021-34527",
+                "CVE-2021-1675"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/registry_event_cve_2021_1675_mimikatz_printernightmare_drivers.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: PrinterNightmare Mimikatz Driver Name\nid: ba6b9e43-1d45-4d3c-a504-1043a64c8469\nstatus: test\ndescription: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited\n  in CVE-2021-1675 and CVE-2021-34527\nreferences:\n- https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760\n- https://www.lexjansen.com/sesug/1993/SESUG93035.pdf\n- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913\n- https://nvd.nist.gov/vuln/detail/cve-2021-1675\n- https://nvd.nist.gov/vuln/detail/cve-2021-34527\nauthor: Markus Neis, @markus_neis, Florian Roth\ndate: 2021-07-04\nmodified: 2023-06-12\ntags:\n- attack.execution\n- attack.t1204\n- cve.2021-1675\n- cve.2021-34527\n- detection.emerging-threats\nlogsource:\n  product: windows\n  category: registry_event\ndetection:\n  selection:\n    TargetObject|contains:\n    - \\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810\\\n    - \\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz\n  selection_alt:\n    TargetObject|contains|all:\n    - legitprinter\n    - \\Control\\Print\\Environments\\Windows\n  selection_print:\n    TargetObject|contains:\n    - \\Control\\Print\\Environments\n    - \\CurrentVersion\\Print\\Printers\n  selection_kiwi:\n    TargetObject|contains:\n    - Gentil Kiwi\n    - mimikatz printer\n    - Kiwi Legit Printer\n  condition: selection or selection_alt or (selection_print and selection_kiwi)\nfalsepositives:\n- Legitimate installation of printer driver QMS 810, Texas Instruments microLaser\n  printer (unlikely)\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-1675",
-                "CVE-2021-34527"
+                "CVE-2021-34527",
+                "CVE-2021-1675"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2021-1675 Print Spooler Exploitation IPC Access\nid: 8fe1c584-ee61-444b-be21-e9054b229694\nstatus: test\ndescription: Detects remote printer driver load from Detailed File Share in Security\n  logs that are a sign of successful exploitation attempts against print spooler vulnerability\n  CVE-2021-1675 and CVE-2021-34527\nreferences:\n- https://twitter.com/INIT_3/status/1410662463641731075\nauthor: INIT_6\ndate: 2021-07-02\nmodified: 2022-10-05\ntags:\n- attack.execution\n- attack.t1569\n- cve.2021-1675\n- cve.2021-34527\n- detection.emerging-threats\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 5145\n    ShareName: \\\\\\\\\\*\\\\IPC$\n    RelativeTargetName: spoolss\n    AccessMask: '0x3'\n    ObjectType: File\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-1675",
-                "CVE-2021-34527"
+                "CVE-2021-34527",
+                "CVE-2021-1675"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/zeek_dce_rpc_exploit_cve_2021_1675_printnightmare_print_driver_install.json

@@ -12,8 +12,8 @@
             "rule_text": "title: Possible PrintNightmare Print Driver Install - CVE-2021-1675\nid: 7b33baef-2a75-4ca3-9da4-34f9a15382d8\nrelated:\n- id: 53389db6-ba46-48e3-a94c-e0f2cefe1583\n  type: derived\nstatus: stable\ndescription: 'Detects the remote installation of a print driver which is possible\n  indication of the exploitation of PrintNightmare (CVE-2021-1675).\n\n  The occurrence of print drivers being installed remotely via RPC functions should\n  be rare, as print drivers are normally installed locally and or through group policy.\n\n  '\nreferences:\n- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29\n- https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek\n- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\n- https://github.com/corelight/CVE-2021-1675\n- https://old.zeek.org/zeekweek2019/slides/bzar.pdf\n- https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/\nauthor: '@neu5ron (Nate Guagenti)'\ndate: 2021-08-23\nmodified: 2025-11-03\ntags:\n- attack.execution\n- cve.2021-1678\n- cve.2021-1675\n- cve.2021-34527\n- detection.emerging-threats\nlogsource:\n  product: zeek\n  service: dce_rpc\ndetection:\n  selection:\n    operation:\n    - RpcAsyncInstallPrinterDriverFromPackage\n    - RpcAsyncAddPrintProcessor\n    - RpcAddPrintProcessor\n    - RpcAddPrinterDriverEx\n    - RpcAddPrinterDriver\n    - RpcAsyncAddPrinterDriver\n  condition: selection\nfalsepositives:\n- Legitimate remote alteration of a printer driver.\nlevel: medium\n",
             "vulnerabilities": [
                 "CVE-2021-1678",
-                "CVE-2021-1675",
-                "CVE-2021-34527"
+                "CVE-2021-34527",
+                "CVE-2021-1675"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-20090/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Arcadyan Router Exploitations\nid: f0500377-bc70-425d-ac8c-e956cd906871\nstatus: test\ndescription: Detects exploitation of vulnerabilities in Arcadyan routers as reported\n  in CVE-2021-20090 and CVE-2021-20091.\nreferences:\n- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2\n- https://www.tenable.com/security/research/tra-2021-13\n- https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild\nauthor: Bhabesh Raj\ndate: 2021-08-24\nmodified: 2023-01-02\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2021-20090\n- cve.2021-20091\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  path_traversal:\n    cs-uri-query|contains: ..%2f\n  config_file_inj:\n    cs-uri-query|contains|all:\n    - ..%2f\n    - apply_abstract.cgi\n  noauth_list:\n    cs-uri-query|contains:\n    - /images/\n    - /js/\n    - /css/\n    - /setup_top_login.htm\n    - /login.html\n    - /loginerror.html\n    - /loginexclude.html\n    - /loginlock.html\n  condition: (path_traversal or config_file_inj) and noauth_list\nfalsepositives:\n- Unknown\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-20091",
-                "CVE-2021-20090"
+                "CVE-2021-20090",
+                "CVE-2021-20091"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: ProxyLogon Reset Virtual Directories Based On IIS Log\nid: effee1f6-a932-4297-a81f-acb44064fa3a\nstatus: test\ndescription: When exploiting this vulnerability with CVE-2021-26858, an SSRF attack\n  is used to manipulate virtual directories\nreferences:\n- https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c\nauthor: frack113\ndate: 2021-08-10\nmodified: 2023-05-08\ntags:\n- cve.2021-26858\n- detection.emerging-threats\n- attack.initial-access\n- attack.t1190\nlogsource:\n  category: webserver\n  definition: 'Requirements: The POST request body data must be collected in order\n    to make use of this detection'\ndetection:\n  selection:\n    cs-method: POST\n    sc-status: 200\n    cs-uri-stem: /ecp/DDI/DDIService.svc/SetObject\n    cs-uri-query|contains|all:\n    - schema=Reset\n    - VirtualDirectory\n    cs-username|endswith: $\n  keywords:\n    '|all':\n    - POST\n    - 200\n    - /ecp/DDI/DDIService.svc/SetObject\n    - schema=Reset\n    - VirtualDirectory\n    - $\n  condition: selection or keywords\nfalsepositives:\n- Unlikely\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-26855",
-                "CVE-2021-26858"
+                "CVE-2021-26858",
+                "CVE-2021-26855"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-21919/win_system_exploit_cve_2022_21919_or_cve_2021_34484.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE\nid: 52a85084-6989-40c3-8f32-091e12e17692\nstatus: test\ndescription: 'Detects potential exploitation attempts of CVE-2022-21919 or CVE-2021-34484\n  leading to local privilege escalation via the User Profile Service.\n\n  During exploitation of this vulnerability, two logs (Provider_Name: Microsoft-Windows-User\n  Profiles Service) with EventID 1511 and 1515 are created (EventID 1515 may generate\n  many false positives).\n\n  Additionally, the directory \\Users\\TEMP may be created during exploitation. This\n  behavior was observed on Windows Server 2008.\n\n  '\nreferences:\n- https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html\nauthor: Cybex\ndate: 2022-08-16\nmodified: 2025-11-03\ntags:\n- attack.execution\n- detection.emerging-threats\n- cve.2022-21919\n- cve.2021-34484\nlogsource:\n  product: windows\n  service: application\ndetection:\n  selection:\n    EventID: 1511\n    Provider_Name: Microsoft-Windows-User Profiles Service\n  condition: selection\nfalsepositives:\n- Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx\nlevel: low\n",
             "vulnerabilities": [
-                "CVE-2022-21919",
-                "CVE-2021-34484"
+                "CVE-2021-34484",
+                "CVE-2022-21919"
             ]
         }
     ]