Sync Collecting Detection Rules: Sat May 16 11:36:26 UTC 2026

Signed-off-by: AboutCode Automation <automation@aboutcode.org>

Author: aboutcode-automation

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2020-0688 Exploitation via Eventlog\nid: d6266bf5-935e-4661-b477-78772735a7cb\nstatus: test\ndescription: Detects the exploitation of Microsoft Exchange vulnerability as described\n  in CVE-2020-0688\nreferences:\n- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/\n- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/\nauthor: Florian Roth (Nextron Systems), wagga\ndate: 2020-02-29\nmodified: 2022-12-25\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2020-0688\n- detection.emerging-threats\nlogsource:\n  product: windows\n  service: application\ndetection:\n  selection1:\n    EventID: 4\n    Provider_Name: MSExchange Control Panel\n    Level: Error\n  selection2:\n  - '&__VIEWSTATE='\n  condition: all of selection*\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2020-16875",
                 "CVE-2021-24085",
+                "CVE-2020-16875",
                 "CVE-2020-0688"
             ]
         }

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2020/Exploits/CVE-2020-8193/web_cve_2020_8193_8195_citrix_exploit.json

@@ -12,8 +12,8 @@
             "rule_text": "title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195\nid: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7\nstatus: test\ndescription: Detects exploitation attempt against Citrix Netscaler, Application Delivery\n  Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193\n  and CVE-2020-8195\nreferences:\n- https://support.citrix.com/article/CTX276688\n- https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/\n- https://dmaasland.github.io/posts/citrix.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-10\nmodified: 2023-01-02\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2020-8193\n- cve.2020-8195\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  selection1:\n    cs-uri-query|contains: /rapi/filedownload?filter=path:%2F\n  selection2:\n    cs-uri-query|contains|all:\n    - /pcidss/report\n    - type=all_signatures\n    - sig_name=_default_signature_\n  condition: 1 of selection*\nfalsepositives:\n- Unknown\nlevel: critical\n",
             "vulnerabilities": [
                 "CVE-2020-8196",
-                "CVE-2020-8193",
-                "CVE-2020-8195"
+                "CVE-2020-8195",
+                "CVE-2020-8193"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: ProxyLogon Reset Virtual Directories Based On IIS Log\nid: effee1f6-a932-4297-a81f-acb44064fa3a\nstatus: test\ndescription: When exploiting this vulnerability with CVE-2021-26858, an SSRF attack\n  is used to manipulate virtual directories\nreferences:\n- https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c\nauthor: frack113\ndate: 2021-08-10\nmodified: 2023-05-08\ntags:\n- cve.2021-26858\n- detection.emerging-threats\n- attack.initial-access\n- attack.t1190\nlogsource:\n  category: webserver\n  definition: 'Requirements: The POST request body data must be collected in order\n    to make use of this detection'\ndetection:\n  selection:\n    cs-method: POST\n    sc-status: 200\n    cs-uri-stem: /ecp/DDI/DDIService.svc/SetObject\n    cs-uri-query|contains|all:\n    - schema=Reset\n    - VirtualDirectory\n    cs-username|endswith: $\n  keywords:\n    '|all':\n    - POST\n    - 200\n    - /ecp/DDI/DDIService.svc/SetObject\n    - schema=Reset\n    - VirtualDirectory\n    - $\n  condition: selection or keywords\nfalsepositives:\n- Unlikely\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-26858",
-                "CVE-2021-26855"
+                "CVE-2021-26855",
+                "CVE-2021-26858"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-21919/win_system_exploit_cve_2022_21919_or_cve_2021_34484.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE\nid: 52a85084-6989-40c3-8f32-091e12e17692\nstatus: test\ndescription: 'Detects potential exploitation attempts of CVE-2022-21919 or CVE-2021-34484\n  leading to local privilege escalation via the User Profile Service.\n\n  During exploitation of this vulnerability, two logs (Provider_Name: Microsoft-Windows-User\n  Profiles Service) with EventID 1511 and 1515 are created (EventID 1515 may generate\n  many false positives).\n\n  Additionally, the directory \\Users\\TEMP may be created during exploitation. This\n  behavior was observed on Windows Server 2008.\n\n  '\nreferences:\n- https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html\nauthor: Cybex\ndate: 2022-08-16\nmodified: 2025-11-03\ntags:\n- attack.execution\n- detection.emerging-threats\n- cve.2022-21919\n- cve.2021-34484\nlogsource:\n  product: windows\n  service: application\ndetection:\n  selection:\n    EventID: 1511\n    Provider_Name: Microsoft-Windows-User Profiles Service\n  condition: selection\nfalsepositives:\n- Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx\nlevel: low\n",
             "vulnerabilities": [
-                "CVE-2021-34484",
-                "CVE-2022-21919"
+                "CVE-2022-21919",
+                "CVE-2021-34484"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_exploitation.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential OWASSRF Exploitation Attempt - Proxy\nid: 1ddf4596-1908-43c9-add2-1d2c2fcc4797\nstatus: test\ndescription: Detects exploitation attempt of the OWASSRF variant targeting exchange\n  servers It uses the OWA endpoint to access the powershell backend endpoint\nreferences:\n- https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/\n- https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-22\ntags:\n- attack.initial-access\n- attack.t1190\n- detection.emerging-threats\nlogsource:\n  category: proxy\ndetection:\n  selection:\n    cs-method: POST\n    sc-status: 200\n    c-uri|contains|all:\n    - /owa/\n    - /powershell\n    c-uri|contains:\n    - '@'\n    - '%40'\n  filter_main_ua:\n    c-useragent:\n    - ClientInfo\n    - Microsoft WinRM Client\n    - Exchange BackEnd Probes\n  condition: selection and not 1 of filter_main_*\nfalsepositives:\n- Web vulnerability scanners\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2022-41082",
-                "CVE-2022-41080"
+                "CVE-2022-41080",
+                "CVE-2022-41082"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: OWASSRF Exploitation Attempt Using Public POC - Proxy\nid: fdd7e904-7304-4616-a46a-e32f917c4be4\nstatus: test\ndescription: Detects exploitation attempt of the OWASSRF variant targeting exchange\n  servers using publicly available POC. It uses the OWA endpoint to access the powershell\n  backend endpoint\nreferences:\n- https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/\n- https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/\n- https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-22\ntags:\n- attack.initial-access\n- attack.t1190\n- detection.emerging-threats\nlogsource:\n  category: proxy\ndetection:\n  selection:\n    c-useragent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,\n      like Gecko) Chrome/105.0.5195.54 Safari/537.36\n    cs-method: POST\n    sc-status: 200\n    c-uri|contains|all:\n    - /owa/mastermailbox\n    - /powershell\n  condition: selection\nfalsepositives:\n- Unlikely\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2022-41082",
-                "CVE-2022-41080"
+                "CVE-2022-41080",
+                "CVE-2022-41082"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_exploitation.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential OWASSRF Exploitation Attempt - Webserver\nid: 181f49fa-0b21-4665-a98c-a57025ebb8c7\nstatus: test\ndescription: Detects exploitation attempt of the OWASSRF variant targeting exchange\n  servers It uses the OWA endpoint to access the powershell backend endpoint\nreferences:\n- https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/\n- https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-22\nmodified: 2023-01-02\ntags:\n- attack.initial-access\n- attack.t1190\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  selection:\n    cs-method: POST\n    sc-status: 200\n    cs-uri-query|contains|all:\n    - /owa/\n    - /powershell\n    cs-uri-query|contains:\n    - '@'\n    - '%40'\n  filter_main_ua:\n    cs-user-agent:\n    - ClientInfo\n    - Microsoft WinRM Client\n    - Exchange BackEnd Probes\n  condition: selection and not 1 of filter_main_*\nfalsepositives:\n- Web vulnerability scanners\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2022-41082",
-                "CVE-2022-41080"
+                "CVE-2022-41080",
+                "CVE-2022-41082"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_poc_exploitation.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: OWASSRF Exploitation Attempt Using Public POC - Webserver\nid: 92d78c63-5a5c-4c40-9b60-463810ffb082\nstatus: test\ndescription: Detects exploitation attempt of the OWASSRF variant targeting exchange\n  servers using publicly available POC. It uses the OWA endpoint to access the powershell\n  backend endpoint\nreferences:\n- https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/\n- https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/\n- https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-22\nmodified: 2023-01-02\ntags:\n- attack.initial-access\n- attack.t1190\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  selection:\n    cs-user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,\n      like Gecko) Chrome/105.0.5195.54 Safari/537.36\n    cs-method: POST\n    sc-status: 200\n    cs-uri-query|contains|all:\n    - /owa/mastermailbox\n    - /powershell\n  condition: selection\nfalsepositives:\n- Unlikely\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2022-41082",
-                "CVE-2022-41080"
+                "CVE-2022-41080",
+                "CVE-2022-41082"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential CVE-2022-46169 Exploitation Attempt\nid: 738cb115-881f-4df3-82cc-56ab02fc5192\nstatus: test\ndescription: Detects potential exploitation attempts that target the Cacti Command\n  Injection CVE-2022-46169\nreferences:\n- https://github.com/0xf4n9x/CVE-2022-46169\n- https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf\n- https://github.com/rapid7/metasploit-framework/pull/17407\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-27\nmodified: 2023-01-02\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2022-46169\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  selection:\n    cs-method: GET\n    cs-uri-query|contains|all:\n    - /remote_agent.php\n    - action=polldata\n    - poller_id=\n    cs-uri-query|contains:\n    - '| base64 -d | /bin/bash`'\n    - '%7C%20base64%20-d%20%7C%20%2Fbin%2Fbash%60'\n    - '`whoami'\n    - powershell\n    - cmd\n    - wget\n  condition: selection\nfalsepositives:\n- Web vulnerability scanners\nlevel: high\n",
             "vulnerabilities": [
-                "GHSA-6P93-P743-35GF",
-                "CVE-2022-46169"
+                "CVE-2022-46169",
+                "GHSA-6P93-P743-35GF"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential CVE-2023-25157 Exploitation Attempt\nid: c0341543-5ed0-4475-aabc-7eea8c52aa66\nstatus: test\ndescription: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection\n  in GeoServer\nreferences:\n- https://github.com/win3zz/CVE-2023-25157\n- https://twitter.com/parzel2/status/1665726454489915395\n- https://github.com/advisories/GHSA-7g5f-wrx8-5ccf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-14\ntags:\n- attack.initial-access\n- cve.2023-25157\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  selection_url:\n    cs-method: GET\n    cs-uri-query|contains|all:\n    - /geoserver/ows\n    - CQL_FILTER=\n    cs-uri-query|contains:\n    - PropertyIsLike\n    - strEndsWith\n    - strStartsWith\n    - FeatureId\n    - jsonArrayContains\n    - DWithin\n  selection_payload:\n    cs-uri-query|contains:\n    - +--\n    - +AS+\n    - +OR+\n    - FROM\n    - ORDER+BY\n    - SELECT\n    - sleep%28\n    - substring%28\n    - UNION\n    - WHERE\n  condition: all of selection_*\nfalsepositives:\n- Vulnerability scanners\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2023-25157",
-                "GHSA-7G5F-WRX8-5CCF"
+                "GHSA-7G5F-WRX8-5CCF",
+                "CVE-2023-25157"
             ]
         }
     ]