Sync Collecting Detection Rules: Sun May 17 04:25:01 UTC 2026

Signed-off-by: AboutCode Automation <automation@aboutcode.org>

Author: aboutcode-automation

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.json

@@ -11,9 +11,9 @@
             },
             "rule_text": "title: CVE-2020-0688 Exploitation via Eventlog\nid: d6266bf5-935e-4661-b477-78772735a7cb\nstatus: test\ndescription: Detects the exploitation of Microsoft Exchange vulnerability as described\n  in CVE-2020-0688\nreferences:\n- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/\n- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/\nauthor: Florian Roth (Nextron Systems), wagga\ndate: 2020-02-29\nmodified: 2022-12-25\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2020-0688\n- detection.emerging-threats\nlogsource:\n  product: windows\n  service: application\ndetection:\n  selection1:\n    EventID: 4\n    Provider_Name: MSExchange Control Panel\n    Level: Error\n  selection2:\n  - '&__VIEWSTATE='\n  condition: all of selection*\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
+                "CVE-2021-24085",
                 "CVE-2020-0688",
-                "CVE-2020-16875",
-                "CVE-2021-24085"
+                "CVE-2020-16875"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2020/Exploits/CVE-2020-8193/web_cve_2020_8193_8195_citrix_exploit.json

@@ -11,9 +11,9 @@
             },
             "rule_text": "title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195\nid: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7\nstatus: test\ndescription: Detects exploitation attempt against Citrix Netscaler, Application Delivery\n  Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193\n  and CVE-2020-8195\nreferences:\n- https://support.citrix.com/article/CTX276688\n- https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/\n- https://dmaasland.github.io/posts/citrix.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-10\nmodified: 2023-01-02\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2020-8193\n- cve.2020-8195\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  selection1:\n    cs-uri-query|contains: /rapi/filedownload?filter=path:%2F\n  selection2:\n    cs-uri-query|contains|all:\n    - /pcidss/report\n    - type=all_signatures\n    - sig_name=_default_signature_\n  condition: 1 of selection*\nfalsepositives:\n- Unknown\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2020-8196",
+                "CVE-2020-8195",
                 "CVE-2020-8193",
-                "CVE-2020-8195"
+                "CVE-2020-8196"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_exploit_cve_2021_34527_print_nightmare.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection\nid: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561\nstatus: stable\ndescription: Detects the suspicious file that is created from PoC code against Windows\n  Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare),\n  CVE-2021-1675 .\nreferences:\n- https://twitter.com/mvelazco/status/1410291741241102338\n- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675\n- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\nauthor: Sittikorn S, Nuttakorn T, Tim Shelton\ndate: 2021-07-01\nmodified: 2023-10-23\ntags:\n- attack.privilege-escalation\n- attack.stealth\n- attack.t1055\n- detection.emerging-threats\n- cve.2021-34527\n- cve.2021-1675\nlogsource:\n  category: antivirus\ndetection:\n  selection:\n    Filename|contains: :\\Windows\\System32\\spool\\drivers\\x64\\\n  keywords:\n  - File submitted to Symantec\n  condition: selection and not keywords\nfalsepositives:\n- Unlikely, or pending PSP analysis\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-1675",
-                "CVE-2021-34527"
+                "CVE-2021-34527",
+                "CVE-2021-1675"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/image_load_exploit_cve_2021_1675_spoolsv_dll_load.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Windows Spooler Service Suspicious Binary Load\nid: 02fb90de-c321-4e63-a6b9-25f4b03dfd14\nstatus: test\ndescription: 'Detect DLL Load from Spooler Service backup folder. This behavior has\n  been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675\n  and CVE-2021-34527 (PrinterNightmare).\n\n  '\nreferences:\n- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/\n- https://github.com/ly4k/SpoolFool\nauthor: FPT.EagleEye, Thomas Patzke (improvements)\ndate: 2021-06-29\nmodified: 2022-06-02\ntags:\n- attack.persistence\n- attack.privilege-escalation\n- attack.execution\n- attack.stealth\n- attack.t1574\n- cve.2021-1675\n- cve.2021-34527\n- detection.emerging-threats\nlogsource:\n  category: image_load\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\spoolsv.exe\n    ImageLoaded|contains:\n    - \\Windows\\System32\\spool\\drivers\\x64\\3\\\n    - \\Windows\\System32\\spool\\drivers\\x64\\4\\\n    ImageLoaded|endswith: .dll\n  condition: selection\nfalsepositives:\n- Loading of legitimate driver\nlevel: informational\n",
             "vulnerabilities": [
-                "CVE-2021-1675",
-                "CVE-2021-34527"
+                "CVE-2021-34527",
+                "CVE-2021-1675"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/registry_event_cve_2021_1675_mimikatz_printernightmare_drivers.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: PrinterNightmare Mimikatz Driver Name\nid: ba6b9e43-1d45-4d3c-a504-1043a64c8469\nstatus: test\ndescription: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited\n  in CVE-2021-1675 and CVE-2021-34527\nreferences:\n- https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760\n- https://www.lexjansen.com/sesug/1993/SESUG93035.pdf\n- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913\n- https://nvd.nist.gov/vuln/detail/cve-2021-1675\n- https://nvd.nist.gov/vuln/detail/cve-2021-34527\nauthor: Markus Neis, @markus_neis, Florian Roth\ndate: 2021-07-04\nmodified: 2023-06-12\ntags:\n- attack.execution\n- attack.t1204\n- cve.2021-1675\n- cve.2021-34527\n- detection.emerging-threats\nlogsource:\n  product: windows\n  category: registry_event\ndetection:\n  selection:\n    TargetObject|contains:\n    - \\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810\\\n    - \\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz\n  selection_alt:\n    TargetObject|contains|all:\n    - legitprinter\n    - \\Control\\Print\\Environments\\Windows\n  selection_print:\n    TargetObject|contains:\n    - \\Control\\Print\\Environments\n    - \\CurrentVersion\\Print\\Printers\n  selection_kiwi:\n    TargetObject|contains:\n    - Gentil Kiwi\n    - mimikatz printer\n    - Kiwi Legit Printer\n  condition: selection or selection_alt or (selection_print and selection_kiwi)\nfalsepositives:\n- Legitimate installation of printer driver QMS 810, Texas Instruments microLaser\n  printer (unlikely)\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-1675",
-                "CVE-2021-34527"
+                "CVE-2021-34527",
+                "CVE-2021-1675"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2021-1675 Print Spooler Exploitation IPC Access\nid: 8fe1c584-ee61-444b-be21-e9054b229694\nstatus: test\ndescription: Detects remote printer driver load from Detailed File Share in Security\n  logs that are a sign of successful exploitation attempts against print spooler vulnerability\n  CVE-2021-1675 and CVE-2021-34527\nreferences:\n- https://twitter.com/INIT_3/status/1410662463641731075\nauthor: INIT_6\ndate: 2021-07-02\nmodified: 2022-10-05\ntags:\n- attack.execution\n- attack.t1569\n- cve.2021-1675\n- cve.2021-34527\n- detection.emerging-threats\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 5145\n    ShareName: \\\\\\\\\\*\\\\IPC$\n    RelativeTargetName: spoolss\n    AccessMask: '0x3'\n    ObjectType: File\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-1675",
-                "CVE-2021-34527"
+                "CVE-2021-34527",
+                "CVE-2021-1675"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/zeek_dce_rpc_exploit_cve_2021_1675_printnightmare_print_driver_install.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Possible PrintNightmare Print Driver Install - CVE-2021-1675\nid: 7b33baef-2a75-4ca3-9da4-34f9a15382d8\nrelated:\n- id: 53389db6-ba46-48e3-a94c-e0f2cefe1583\n  type: derived\nstatus: stable\ndescription: 'Detects the remote installation of a print driver which is possible\n  indication of the exploitation of PrintNightmare (CVE-2021-1675).\n\n  The occurrence of print drivers being installed remotely via RPC functions should\n  be rare, as print drivers are normally installed locally and or through group policy.\n\n  '\nreferences:\n- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29\n- https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek\n- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\n- https://github.com/corelight/CVE-2021-1675\n- https://old.zeek.org/zeekweek2019/slides/bzar.pdf\n- https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/\nauthor: '@neu5ron (Nate Guagenti)'\ndate: 2021-08-23\nmodified: 2025-11-03\ntags:\n- attack.execution\n- cve.2021-1678\n- cve.2021-1675\n- cve.2021-34527\n- detection.emerging-threats\nlogsource:\n  product: zeek\n  service: dce_rpc\ndetection:\n  selection:\n    operation:\n    - RpcAsyncInstallPrinterDriverFromPackage\n    - RpcAsyncAddPrintProcessor\n    - RpcAddPrintProcessor\n    - RpcAddPrinterDriverEx\n    - RpcAddPrinterDriver\n    - RpcAsyncAddPrinterDriver\n  condition: selection\nfalsepositives:\n- Legitimate remote alteration of a printer driver.\nlevel: medium\n",
             "vulnerabilities": [
-                "CVE-2021-1675",
                 "CVE-2021-34527",
+                "CVE-2021-1675",
                 "CVE-2021-1678"
             ]
         }

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential CVE-2021-26084 Exploitation Attempt\nid: 38825179-3c78-4fed-b222-2e2166b926b1\nstatus: test\ndescription: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using\n  OGNL injection\nreferences:\n- https://github.com/TesterCC/exp_poc_library/blob/be61622600ec79d8fba2fa5f816a870715f0cb3b/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md\n- https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md\n- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n- https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/\nauthor: Sittikorn S, Nuttakorn T\ndate: 2022-12-13\nmodified: 2023-03-24\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2021-26084\n- detection.emerging-threats\nlogsource:\n  category: webserver\n  definition: 'Requirements: The POST request body data must be collected in order\n    to make use of certain parts of this detection'\ndetection:\n  selection_main:\n    cs-method: POST\n    sc-status: 200\n    cs-username: anonymous\n  selection_exploit_1:\n    cs-uri-query|contains|all:\n    - /pages/createpage-entervariables.action\n    - SpaceKey=x\n  selection_exploit_2_uri:\n    cs-uri-query|contains: /doenterpagevariables.action\n  selection_exploit_2_keyword:\n  - u0027\n  condition: selection_main and (selection_exploit_1 or all of selection_exploit_2_*)\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2021-26084",
-                "CVE-2021-260841"
+                "CVE-2021-260841",
+                "CVE-2021-26084"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential Exploitation Attempt From Office Application\nid: 868955d9-697e-45d4-a3da-360cefd7c216\nstatus: test\ndescription: Detects Office applications executing a child process that includes directory\n  traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE)\n  or CVE-2021-40444 (MSHTML RCE)\nreferences:\n- https://twitter.com/sbousseaden/status/1531653369546301440\n- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444\n- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190\nauthor: Christian Burkard (Nextron Systems), @SBousseaden (idea)\ndate: 2022-06-02\nmodified: 2023-02-04\ntags:\n- attack.execution\n- cve.2021-40444\n- detection.emerging-threats\n- attack.stealth\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    ParentImage|endswith:\n    - \\winword.exe\n    - \\excel.exe\n    - \\powerpnt.exe\n    - \\msaccess.exe\n    - \\mspub.exe\n    - \\eqnedt32.exe\n    - \\visio.exe\n    CommandLine|contains:\n    - ../../../..\n    - ..\\..\\..\\..\n    - ..//..//..//..\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2021-40444",
-                "CVE-2022-30190"
+                "CVE-2022-30190",
+                "CVE-2021-40444"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-29799/lnx_exploit_cve_2022_27999_cve_2022_27800.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential Nimbuspwn Exploit CVE-2022-29799 and CVE-2022-27800\nid: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8\nstatus: test\ndescription: 'Detects potential exploitation attempts of Nimbuspwn vulnerabilities\n  CVE-2022-29799 and CVE-2022-27800 in Linux systems.\n\n  '\nreferences:\n- https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/\n- https://github.com/Immersive-Labs-Sec/nimbuspwn\nauthor: Bhabesh Raj\ndate: 2022-05-04\nmodified: 2025-11-03\ntags:\n- attack.privilege-escalation\n- attack.t1068\n- detection.emerging-threats\n- cve.2022-29799\n- cve.2022-27800\nlogsource:\n  product: linux\ndetection:\n  keywords:\n    '|all':\n    - networkd-dispatcher\n    - Error handling notification for interface\n    - ../../\n  condition: keywords\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2022-29799",
-                "CVE-2022-27800"
+                "CVE-2022-27800",
+                "CVE-2022-29799"
             ]
         }
     ]