Sync Collecting Detection Rules: Wed May 20 17:08:09 UTC 2026

Signed-off-by: AboutCode Automation <automation@aboutcode.org>

Author: aboutcode-automation

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2020-0688 Exploitation via Eventlog\nid: d6266bf5-935e-4661-b477-78772735a7cb\nstatus: test\ndescription: Detects the exploitation of Microsoft Exchange vulnerability as described\n  in CVE-2020-0688\nreferences:\n- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/\n- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/\nauthor: Florian Roth (Nextron Systems), wagga\ndate: 2020-02-29\nmodified: 2022-12-25\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2020-0688\n- detection.emerging-threats\nlogsource:\n  product: windows\n  service: application\ndetection:\n  selection1:\n    EventID: 4\n    Provider_Name: MSExchange Control Panel\n    Level: Error\n  selection2:\n  - '&__VIEWSTATE='\n  condition: all of selection*\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2021-24085",
                 "CVE-2020-0688",
+                "CVE-2021-24085",
                 "CVE-2020-16875"
             ]
         }

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2020/Exploits/CVE-2020-8193/web_cve_2020_8193_8195_citrix_exploit.json

@@ -11,9 +11,9 @@
             },
             "rule_text": "title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195\nid: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7\nstatus: test\ndescription: Detects exploitation attempt against Citrix Netscaler, Application Delivery\n  Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193\n  and CVE-2020-8195\nreferences:\n- https://support.citrix.com/article/CTX276688\n- https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/\n- https://dmaasland.github.io/posts/citrix.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-10\nmodified: 2023-01-02\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2020-8193\n- cve.2020-8195\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  selection1:\n    cs-uri-query|contains: /rapi/filedownload?filter=path:%2F\n  selection2:\n    cs-uri-query|contains|all:\n    - /pcidss/report\n    - type=all_signatures\n    - sig_name=_default_signature_\n  condition: 1 of selection*\nfalsepositives:\n- Unknown\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2020-8195",
                 "CVE-2020-8193",
-                "CVE-2020-8196"
+                "CVE-2020-8196",
+                "CVE-2020-8195"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-20090/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Arcadyan Router Exploitations\nid: f0500377-bc70-425d-ac8c-e956cd906871\nstatus: test\ndescription: Detects exploitation of vulnerabilities in Arcadyan routers as reported\n  in CVE-2021-20090 and CVE-2021-20091.\nreferences:\n- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2\n- https://www.tenable.com/security/research/tra-2021-13\n- https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild\nauthor: Bhabesh Raj\ndate: 2021-08-24\nmodified: 2023-01-02\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2021-20090\n- cve.2021-20091\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  path_traversal:\n    cs-uri-query|contains: ..%2f\n  config_file_inj:\n    cs-uri-query|contains|all:\n    - ..%2f\n    - apply_abstract.cgi\n  noauth_list:\n    cs-uri-query|contains:\n    - /images/\n    - /js/\n    - /css/\n    - /setup_top_login.htm\n    - /login.html\n    - /loginerror.html\n    - /loginexclude.html\n    - /loginlock.html\n  condition: (path_traversal or config_file_inj) and noauth_list\nfalsepositives:\n- Unknown\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-20090",
-                "CVE-2021-20091"
+                "CVE-2021-20091",
+                "CVE-2021-20090"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: ProxyLogon Reset Virtual Directories Based On IIS Log\nid: effee1f6-a932-4297-a81f-acb44064fa3a\nstatus: test\ndescription: When exploiting this vulnerability with CVE-2021-26858, an SSRF attack\n  is used to manipulate virtual directories\nreferences:\n- https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c\nauthor: frack113\ndate: 2021-08-10\nmodified: 2023-05-08\ntags:\n- cve.2021-26858\n- detection.emerging-threats\n- attack.initial-access\n- attack.t1190\nlogsource:\n  category: webserver\n  definition: 'Requirements: The POST request body data must be collected in order\n    to make use of this detection'\ndetection:\n  selection:\n    cs-method: POST\n    sc-status: 200\n    cs-uri-stem: /ecp/DDI/DDIService.svc/SetObject\n    cs-uri-query|contains|all:\n    - schema=Reset\n    - VirtualDirectory\n    cs-username|endswith: $\n  keywords:\n    '|all':\n    - POST\n    - 200\n    - /ecp/DDI/DDIService.svc/SetObject\n    - schema=Reset\n    - VirtualDirectory\n    - $\n  condition: selection or keywords\nfalsepositives:\n- Unlikely\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-26855",
-                "CVE-2021-26858"
+                "CVE-2021-26858",
+                "CVE-2021-26855"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-33771/file_event_win_cve_2021_31979_cve_2021_33771_exploits.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum\nid: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef\nstatus: test\ndescription: Detects patterns as noticed in exploitation of Windows CVE-2021-31979\n  CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum\nreferences:\n- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\n- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\nauthor: Sittikorn S\ndate: 2021-07-16\nmodified: 2022-10-09\ntags:\n- attack.initial-access\n- attack.execution\n- attack.credential-access\n- attack.t1566\n- attack.t1203\n- cve.2021-33771\n- cve.2021-31979\n- detection.emerging-threats\nlogsource:\n  product: windows\n  category: file_event\ndetection:\n  selection:\n    TargetFilename|contains:\n    - C:\\Windows\\system32\\physmem.sys\n    - C:\\Windows\\System32\\IME\\IMEJP\\imjpueact.dll\n    - C:\\Windows\\system32\\ime\\IMETC\\IMTCPROT.DLL\n    - C:\\Windows\\system32\\ime\\SHARED\\imecpmeid.dll\n    - C:\\Windows\\system32\\config\\spp\\ServiceState\\Recovery\\pac.dat\n    - C:\\Windows\\system32\\config\\cy-GB\\Setup\\SKB\\InputMethod\\TupTask.dat\n    - C:\\Windows\\system32\\config\\config\\startwus.dat\n    - C:\\Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini\n    - C:\\Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini\n    - C:\\Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini\n  condition: selection\nfalsepositives:\n- Unlikely\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-31979",
-                "CVE-2021-33771"
+                "CVE-2021-33771",
+                "CVE-2021-31979"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-33771/registry_set_cve_2021_31979_cve_2021_33771_exploits.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2021-31979 CVE-2021-33771 Exploits\nid: 32b5db62-cb5f-4266-9639-0fa48376ac00\nstatus: test\ndescription: Detects patterns as noticed in exploitation of Windows CVE-2021-31979\n  CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum\nreferences:\n- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\n- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\nauthor: Sittikorn S, frack113\ndate: 2021-07-16\nmodified: 2023-08-17\ntags:\n- attack.initial-access\n- attack.execution\n- attack.credential-access\n- attack.t1566\n- attack.t1203\n- cve.2021-33771\n- cve.2021-31979\n- detection.emerging-threats\nlogsource:\n  product: windows\n  category: registry_set\ndetection:\n  selection:\n    TargetObject|endswith:\n    - CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32\\(Default)\n    - CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InProcServer32\\(Default)\n  filter:\n    Details|endswith:\n    - system32\\wbem\\wmiutils.dll\n    - system32\\wbem\\wbemsvc.dll\n  condition: selection and not filter\nfalsepositives:\n- Unlikely\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-31979",
-                "CVE-2021-33771"
+                "CVE-2021-33771",
+                "CVE-2021-31979"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-21919/win_system_exploit_cve_2022_21919_or_cve_2021_34484.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE\nid: 52a85084-6989-40c3-8f32-091e12e17692\nstatus: test\ndescription: 'Detects potential exploitation attempts of CVE-2022-21919 or CVE-2021-34484\n  leading to local privilege escalation via the User Profile Service.\n\n  During exploitation of this vulnerability, two logs (Provider_Name: Microsoft-Windows-User\n  Profiles Service) with EventID 1511 and 1515 are created (EventID 1515 may generate\n  many false positives).\n\n  Additionally, the directory \\Users\\TEMP may be created during exploitation. This\n  behavior was observed on Windows Server 2008.\n\n  '\nreferences:\n- https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html\nauthor: Cybex\ndate: 2022-08-16\nmodified: 2025-11-03\ntags:\n- attack.execution\n- detection.emerging-threats\n- cve.2022-21919\n- cve.2021-34484\nlogsource:\n  product: windows\n  service: application\ndetection:\n  selection:\n    EventID: 1511\n    Provider_Name: Microsoft-Windows-User Profiles Service\n  condition: selection\nfalsepositives:\n- Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx\nlevel: low\n",
             "vulnerabilities": [
-                "CVE-2021-34484",
-                "CVE-2022-21919"
+                "CVE-2022-21919",
+                "CVE-2021-34484"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-29799/lnx_exploit_cve_2022_27999_cve_2022_27800.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential Nimbuspwn Exploit CVE-2022-29799 and CVE-2022-27800\nid: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8\nstatus: test\ndescription: 'Detects potential exploitation attempts of Nimbuspwn vulnerabilities\n  CVE-2022-29799 and CVE-2022-27800 in Linux systems.\n\n  '\nreferences:\n- https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/\n- https://github.com/Immersive-Labs-Sec/nimbuspwn\nauthor: Bhabesh Raj\ndate: 2022-05-04\nmodified: 2025-11-03\ntags:\n- attack.privilege-escalation\n- attack.t1068\n- detection.emerging-threats\n- cve.2022-29799\n- cve.2022-27800\nlogsource:\n  product: linux\ndetection:\n  keywords:\n    '|all':\n    - networkd-dispatcher\n    - Error handling notification for interface\n    - ../../\n  condition: keywords\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2022-27800",
-                "CVE-2022-29799"
+                "CVE-2022-29799",
+                "CVE-2022-27800"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-33891/proc_creation_lnx_exploit_cve_2022_33891_spark_shell_command_injection.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Apache Spark Shell Command Injection - ProcessCreation\nid: c8a5f584-cdc8-42cc-8cce-0398e4265de3\nstatus: test\ndescription: Detects attempts to exploit an apache spark server via CVE-2014-6287\n  from a commandline perspective\nreferences:\n- https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py\n- https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html\n- https://github.com/apache/spark/pull/36315/files\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-20\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2022-33891\n- detection.emerging-threats\nlogsource:\n  product: linux\n  category: process_creation\ndetection:\n  selection:\n    ParentImage|endswith: \\bash\n    CommandLine|contains:\n    - id -Gn `\n    - id -Gn '\n  condition: selection\nfalsepositives:\n- Unlikely\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2014-6287",
-                "CVE-2022-33891"
+                "CVE-2022-33891",
+                "CVE-2014-6287"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Apache Spark Shell Command Injection - Weblogs\nid: 1a9a04fd-02d1-465c-abad-d733fd409f9c\nstatus: test\ndescription: Detects attempts to exploit an apache spark server via CVE-2014-6287\n  from a weblogs perspective\nreferences:\n- https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py\n- https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html\n- https://github.com/apache/spark/pull/36315/files\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-19\nmodified: 2023-01-02\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2022-33891\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  selection:\n    cs-uri-query|contains: ?doAs=`\n  condition: selection\nfalsepositives:\n- Web vulnerability scanners\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2014-6287",
-                "CVE-2022-33891"
+                "CVE-2022-33891",
+                "CVE-2014-6287"
             ]
         }
     ]