Sync Collecting Detection Rules: Fri May 15 12:24:28 UTC 2026

Signed-off-by: AboutCode Automation <automation@aboutcode.org>

Author: aboutcode-automation

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Exploit for CVE-2017-0261\nid: 864403a1-36c9-40a2-a982-4c9a45f7d833\nstatus: test\ndescription: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits\n  for CVE-2017-0261 and CVE-2017-0262\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-02-22\nmodified: 2021-11-27\ntags:\n- attack.execution\n- attack.t1203\n- attack.t1204.002\n- attack.initial-access\n- attack.t1566.001\n- cve.2017-0261\n- detection.emerging-threats\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\WINWORD.EXE\n    Image|contains: \\FLTLDR.exe\n  condition: selection\nfalsepositives:\n- Several false positives identified, check for suspicious file names or locations\n  (e.g. Temp folders)\nlevel: medium\n",
             "vulnerabilities": [
-                "CVE-2017-0262",
-                "CVE-2017-0261"
+                "CVE-2017-0261",
+                "CVE-2017-0262"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.json

@@ -11,9 +11,9 @@
             },
             "rule_text": "title: CVE-2020-0688 Exploitation via Eventlog\nid: d6266bf5-935e-4661-b477-78772735a7cb\nstatus: test\ndescription: Detects the exploitation of Microsoft Exchange vulnerability as described\n  in CVE-2020-0688\nreferences:\n- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/\n- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/\nauthor: Florian Roth (Nextron Systems), wagga\ndate: 2020-02-29\nmodified: 2022-12-25\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2020-0688\n- detection.emerging-threats\nlogsource:\n  product: windows\n  service: application\ndetection:\n  selection1:\n    EventID: 4\n    Provider_Name: MSExchange Control Panel\n    Level: Error\n  selection2:\n  - '&__VIEWSTATE='\n  condition: all of selection*\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
+                "CVE-2020-0688",
                 "CVE-2020-16875",
-                "CVE-2021-24085",
-                "CVE-2020-0688"
+                "CVE-2021-24085"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/zeek_dce_rpc_exploit_cve_2021_1675_printnightmare_print_driver_install.json

@@ -11,9 +11,9 @@
             },
             "rule_text": "title: Possible PrintNightmare Print Driver Install - CVE-2021-1675\nid: 7b33baef-2a75-4ca3-9da4-34f9a15382d8\nrelated:\n- id: 53389db6-ba46-48e3-a94c-e0f2cefe1583\n  type: derived\nstatus: stable\ndescription: 'Detects the remote installation of a print driver which is possible\n  indication of the exploitation of PrintNightmare (CVE-2021-1675).\n\n  The occurrence of print drivers being installed remotely via RPC functions should\n  be rare, as print drivers are normally installed locally and or through group policy.\n\n  '\nreferences:\n- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29\n- https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek\n- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\n- https://github.com/corelight/CVE-2021-1675\n- https://old.zeek.org/zeekweek2019/slides/bzar.pdf\n- https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/\nauthor: '@neu5ron (Nate Guagenti)'\ndate: 2021-08-23\nmodified: 2025-11-03\ntags:\n- attack.execution\n- cve.2021-1678\n- cve.2021-1675\n- cve.2021-34527\n- detection.emerging-threats\nlogsource:\n  product: zeek\n  service: dce_rpc\ndetection:\n  selection:\n    operation:\n    - RpcAsyncInstallPrinterDriverFromPackage\n    - RpcAsyncAddPrintProcessor\n    - RpcAddPrintProcessor\n    - RpcAddPrinterDriverEx\n    - RpcAddPrinterDriver\n    - RpcAsyncAddPrinterDriver\n  condition: selection\nfalsepositives:\n- Legitimate remote alteration of a printer driver.\nlevel: medium\n",
             "vulnerabilities": [
+                "CVE-2021-1678",
                 "CVE-2021-1675",
-                "CVE-2021-34527",
-                "CVE-2021-1678"
+                "CVE-2021-34527"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential CVE-2021-26084 Exploitation Attempt\nid: 38825179-3c78-4fed-b222-2e2166b926b1\nstatus: test\ndescription: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using\n  OGNL injection\nreferences:\n- https://github.com/TesterCC/exp_poc_library/blob/be61622600ec79d8fba2fa5f816a870715f0cb3b/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md\n- https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md\n- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n- https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/\nauthor: Sittikorn S, Nuttakorn T\ndate: 2022-12-13\nmodified: 2023-03-24\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2021-26084\n- detection.emerging-threats\nlogsource:\n  category: webserver\n  definition: 'Requirements: The POST request body data must be collected in order\n    to make use of certain parts of this detection'\ndetection:\n  selection_main:\n    cs-method: POST\n    sc-status: 200\n    cs-username: anonymous\n  selection_exploit_1:\n    cs-uri-query|contains|all:\n    - /pages/createpage-entervariables.action\n    - SpaceKey=x\n  selection_exploit_2_uri:\n    cs-uri-query|contains: /doenterpagevariables.action\n  selection_exploit_2_keyword:\n  - u0027\n  condition: selection_main and (selection_exploit_1 or all of selection_exploit_2_*)\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2021-260841",
-                "CVE-2021-26084"
+                "CVE-2021-26084",
+                "CVE-2021-260841"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: ProxyLogon Reset Virtual Directories Based On IIS Log\nid: effee1f6-a932-4297-a81f-acb44064fa3a\nstatus: test\ndescription: When exploiting this vulnerability with CVE-2021-26858, an SSRF attack\n  is used to manipulate virtual directories\nreferences:\n- https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c\nauthor: frack113\ndate: 2021-08-10\nmodified: 2023-05-08\ntags:\n- cve.2021-26858\n- detection.emerging-threats\n- attack.initial-access\n- attack.t1190\nlogsource:\n  category: webserver\n  definition: 'Requirements: The POST request body data must be collected in order\n    to make use of this detection'\ndetection:\n  selection:\n    cs-method: POST\n    sc-status: 200\n    cs-uri-stem: /ecp/DDI/DDIService.svc/SetObject\n    cs-uri-query|contains|all:\n    - schema=Reset\n    - VirtualDirectory\n    cs-username|endswith: $\n  keywords:\n    '|all':\n    - POST\n    - 200\n    - /ecp/DDI/DDIService.svc/SetObject\n    - schema=Reset\n    - VirtualDirectory\n    - $\n  condition: selection or keywords\nfalsepositives:\n- Unlikely\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-26858",
-                "CVE-2021-26855"
+                "CVE-2021-26855",
+                "CVE-2021-26858"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-33771/file_event_win_cve_2021_31979_cve_2021_33771_exploits.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum\nid: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef\nstatus: test\ndescription: Detects patterns as noticed in exploitation of Windows CVE-2021-31979\n  CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum\nreferences:\n- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\n- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\nauthor: Sittikorn S\ndate: 2021-07-16\nmodified: 2022-10-09\ntags:\n- attack.initial-access\n- attack.execution\n- attack.credential-access\n- attack.t1566\n- attack.t1203\n- cve.2021-33771\n- cve.2021-31979\n- detection.emerging-threats\nlogsource:\n  product: windows\n  category: file_event\ndetection:\n  selection:\n    TargetFilename|contains:\n    - C:\\Windows\\system32\\physmem.sys\n    - C:\\Windows\\System32\\IME\\IMEJP\\imjpueact.dll\n    - C:\\Windows\\system32\\ime\\IMETC\\IMTCPROT.DLL\n    - C:\\Windows\\system32\\ime\\SHARED\\imecpmeid.dll\n    - C:\\Windows\\system32\\config\\spp\\ServiceState\\Recovery\\pac.dat\n    - C:\\Windows\\system32\\config\\cy-GB\\Setup\\SKB\\InputMethod\\TupTask.dat\n    - C:\\Windows\\system32\\config\\config\\startwus.dat\n    - C:\\Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini\n    - C:\\Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini\n    - C:\\Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini\n  condition: selection\nfalsepositives:\n- Unlikely\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-31979",
-                "CVE-2021-33771"
+                "CVE-2021-33771",
+                "CVE-2021-31979"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-33771/registry_set_cve_2021_31979_cve_2021_33771_exploits.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2021-31979 CVE-2021-33771 Exploits\nid: 32b5db62-cb5f-4266-9639-0fa48376ac00\nstatus: test\ndescription: Detects patterns as noticed in exploitation of Windows CVE-2021-31979\n  CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum\nreferences:\n- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\n- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\nauthor: Sittikorn S, frack113\ndate: 2021-07-16\nmodified: 2023-08-17\ntags:\n- attack.initial-access\n- attack.execution\n- attack.credential-access\n- attack.t1566\n- attack.t1203\n- cve.2021-33771\n- cve.2021-31979\n- detection.emerging-threats\nlogsource:\n  product: windows\n  category: registry_set\ndetection:\n  selection:\n    TargetObject|endswith:\n    - CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32\\(Default)\n    - CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InProcServer32\\(Default)\n  filter:\n    Details|endswith:\n    - system32\\wbem\\wmiutils.dll\n    - system32\\wbem\\wbemsvc.dll\n  condition: selection and not filter\nfalsepositives:\n- Unlikely\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-31979",
-                "CVE-2021-33771"
+                "CVE-2021-33771",
+                "CVE-2021-31979"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File\nid: e4556676-fc5c-4e95-8c39-5ef27791541f\nrelated:\n- id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343\n  type: similar\nstatus: test\ndescription: Detects the creation of a file with a double extension and a space by\n  WinRAR. This could be a sign of exploitation of CVE-2023-38331\nreferences:\n- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\n- https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-30\ntags:\n- attack.execution\n- cve.2023-38331\n- detection.emerging-threats\nlogsource:\n  category: file_event\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\WinRAR.exe\n    TargetFilename|contains: \\AppData\\Local\\Temp\\Rar$\n    TargetFilename|re: \\.[a-zA-Z0-9]{1,4} \\.\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2023-38331",
-                "CVE-2023-38831"
+                "CVE-2023-38831",
+                "CVE-2023-38331"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process\nid: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343\nrelated:\n- id: e4556676-fc5c-4e95-8c39-5ef27791541f\n  type: similar\nstatus: test\ndescription: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23),\n  where an attacker can leverage WinRAR to execute arbitrary commands and binaries.\nreferences:\n- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\n- https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md\nauthor: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io)\ndate: 2023-08-30\nmodified: 2024-01-22\ntags:\n- detection.emerging-threats\n- attack.execution\n- attack.t1203\n- cve.2023-38331\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_parent:\n    ParentImage|endswith: \\WinRAR.exe\n  selection_folder:\n    CommandLine|contains: \\AppData\\Local\\Temp\\Rar$\n  selection_double_ext:\n    CommandLine|re: \\.[a-zA-Z0-9]{1,4} \\.\n  selection_binaries:\n  - Image|endswith:\n    - \\cmd.exe\n    - \\cscript.exe\n    - \\powershell.exe\n    - \\pwsh.exe\n    - \\wscript.exe\n  - OriginalFileName:\n    - Cmd.Exe\n    - cscript.exe\n    - PowerShell.EXE\n    - pwsh.dll\n    - wscript.exe\n  condition: all of selection_*\nfalsepositives:\n- Unlikely\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2023-38331",
-                "CVE-2023-38831"
+                "CVE-2023-38831",
+                "CVE-2023-38331"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation\nid: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1\nrelated:\n- id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62\n  type: similar\nstatus: test\ndescription: 'This detects file modifications to ASPX and ASHX files within the root\n  of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in\n  versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.\n\n  '\nreferences:\n- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8\n- https://www.cve.org/CVERecord?id=CVE-2024-1709\n- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass\nauthor: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress\ndate: 2024-02-21\ntags:\n- attack.persistence\n- cve.2024-1708\n- detection.emerging-threats\nlogsource:\n  product: windows\n  category: file_event\ndetection:\n  selection:\n    Image|endswith: \\ScreenConnect.Service.exe\n    TargetFilename|endswith:\n    - ScreenConnect\\\\App_Extensions\\\\*.ashx\n    - ScreenConnect\\\\App_Extensions\\\\*.aspx\n  filter_main_legit_extension:\n    TargetFilename|contains: ScreenConnect\\App_Extensions\\\\*\\\\\n  condition: selection and not 1 of filter_main_*\nfalsepositives:\n- This will occur legitimately as well and will result in some benign activity.\nlevel: medium\n",
             "vulnerabilities": [
-                "CVE-2024-1709",
-                "CVE-2024-1708"
+                "CVE-2024-1708",
+                "CVE-2024-1709"
             ]
         }
     ]