Sync Collecting Detection Rules: Wed May 20 14:01:03 UTC 2026

Signed-off-by: AboutCode Automation <automation@aboutcode.org>

Author: aboutcode-automation

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Exploit for CVE-2017-0261\nid: 864403a1-36c9-40a2-a982-4c9a45f7d833\nstatus: test\ndescription: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits\n  for CVE-2017-0261 and CVE-2017-0262\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-02-22\nmodified: 2021-11-27\ntags:\n- attack.execution\n- attack.t1203\n- attack.t1204.002\n- attack.initial-access\n- attack.t1566.001\n- cve.2017-0261\n- detection.emerging-threats\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\WINWORD.EXE\n    Image|contains: \\FLTLDR.exe\n  condition: selection\nfalsepositives:\n- Several false positives identified, check for suspicious file names or locations\n  (e.g. Temp folders)\nlevel: medium\n",
             "vulnerabilities": [
-                "CVE-2017-0262",
-                "CVE-2017-0261"
+                "CVE-2017-0261",
+                "CVE-2017-0262"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2020/Exploits/CVE-2020-8193/web_cve_2020_8193_8195_citrix_exploit.json

@@ -11,9 +11,9 @@
             },
             "rule_text": "title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195\nid: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7\nstatus: test\ndescription: Detects exploitation attempt against Citrix Netscaler, Application Delivery\n  Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193\n  and CVE-2020-8195\nreferences:\n- https://support.citrix.com/article/CTX276688\n- https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/\n- https://dmaasland.github.io/posts/citrix.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-10\nmodified: 2023-01-02\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2020-8193\n- cve.2020-8195\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  selection1:\n    cs-uri-query|contains: /rapi/filedownload?filter=path:%2F\n  selection2:\n    cs-uri-query|contains|all:\n    - /pcidss/report\n    - type=all_signatures\n    - sig_name=_default_signature_\n  condition: 1 of selection*\nfalsepositives:\n- Unknown\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2020-8196",
+                "CVE-2020-8195",
                 "CVE-2020-8193",
-                "CVE-2020-8195"
+                "CVE-2020-8196"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_exploit_cve_2021_34527_print_nightmare.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection\nid: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561\nstatus: stable\ndescription: Detects the suspicious file that is created from PoC code against Windows\n  Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare),\n  CVE-2021-1675 .\nreferences:\n- https://twitter.com/mvelazco/status/1410291741241102338\n- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675\n- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\nauthor: Sittikorn S, Nuttakorn T, Tim Shelton\ndate: 2021-07-01\nmodified: 2023-10-23\ntags:\n- attack.privilege-escalation\n- attack.stealth\n- attack.t1055\n- detection.emerging-threats\n- cve.2021-34527\n- cve.2021-1675\nlogsource:\n  category: antivirus\ndetection:\n  selection:\n    Filename|contains: :\\Windows\\System32\\spool\\drivers\\x64\\\n  keywords:\n  - File submitted to Symantec\n  condition: selection and not keywords\nfalsepositives:\n- Unlikely, or pending PSP analysis\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-34527",
-                "CVE-2021-1675"
+                "CVE-2021-1675",
+                "CVE-2021-34527"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/image_load_exploit_cve_2021_1675_spoolsv_dll_load.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Windows Spooler Service Suspicious Binary Load\nid: 02fb90de-c321-4e63-a6b9-25f4b03dfd14\nstatus: test\ndescription: 'Detect DLL Load from Spooler Service backup folder. This behavior has\n  been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675\n  and CVE-2021-34527 (PrinterNightmare).\n\n  '\nreferences:\n- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/\n- https://github.com/ly4k/SpoolFool\nauthor: FPT.EagleEye, Thomas Patzke (improvements)\ndate: 2021-06-29\nmodified: 2022-06-02\ntags:\n- attack.persistence\n- attack.privilege-escalation\n- attack.execution\n- attack.stealth\n- attack.t1574\n- cve.2021-1675\n- cve.2021-34527\n- detection.emerging-threats\nlogsource:\n  category: image_load\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\spoolsv.exe\n    ImageLoaded|contains:\n    - \\Windows\\System32\\spool\\drivers\\x64\\3\\\n    - \\Windows\\System32\\spool\\drivers\\x64\\4\\\n    ImageLoaded|endswith: .dll\n  condition: selection\nfalsepositives:\n- Loading of legitimate driver\nlevel: informational\n",
             "vulnerabilities": [
-                "CVE-2021-34527",
-                "CVE-2021-1675"
+                "CVE-2021-1675",
+                "CVE-2021-34527"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/registry_event_cve_2021_1675_mimikatz_printernightmare_drivers.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: PrinterNightmare Mimikatz Driver Name\nid: ba6b9e43-1d45-4d3c-a504-1043a64c8469\nstatus: test\ndescription: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited\n  in CVE-2021-1675 and CVE-2021-34527\nreferences:\n- https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760\n- https://www.lexjansen.com/sesug/1993/SESUG93035.pdf\n- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913\n- https://nvd.nist.gov/vuln/detail/cve-2021-1675\n- https://nvd.nist.gov/vuln/detail/cve-2021-34527\nauthor: Markus Neis, @markus_neis, Florian Roth\ndate: 2021-07-04\nmodified: 2023-06-12\ntags:\n- attack.execution\n- attack.t1204\n- cve.2021-1675\n- cve.2021-34527\n- detection.emerging-threats\nlogsource:\n  product: windows\n  category: registry_event\ndetection:\n  selection:\n    TargetObject|contains:\n    - \\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810\\\n    - \\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz\n  selection_alt:\n    TargetObject|contains|all:\n    - legitprinter\n    - \\Control\\Print\\Environments\\Windows\n  selection_print:\n    TargetObject|contains:\n    - \\Control\\Print\\Environments\n    - \\CurrentVersion\\Print\\Printers\n  selection_kiwi:\n    TargetObject|contains:\n    - Gentil Kiwi\n    - mimikatz printer\n    - Kiwi Legit Printer\n  condition: selection or selection_alt or (selection_print and selection_kiwi)\nfalsepositives:\n- Legitimate installation of printer driver QMS 810, Texas Instruments microLaser\n  printer (unlikely)\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-34527",
-                "CVE-2021-1675"
+                "CVE-2021-1675",
+                "CVE-2021-34527"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2021-1675 Print Spooler Exploitation IPC Access\nid: 8fe1c584-ee61-444b-be21-e9054b229694\nstatus: test\ndescription: Detects remote printer driver load from Detailed File Share in Security\n  logs that are a sign of successful exploitation attempts against print spooler vulnerability\n  CVE-2021-1675 and CVE-2021-34527\nreferences:\n- https://twitter.com/INIT_3/status/1410662463641731075\nauthor: INIT_6\ndate: 2021-07-02\nmodified: 2022-10-05\ntags:\n- attack.execution\n- attack.t1569\n- cve.2021-1675\n- cve.2021-34527\n- detection.emerging-threats\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 5145\n    ShareName: \\\\\\\\\\*\\\\IPC$\n    RelativeTargetName: spoolss\n    AccessMask: '0x3'\n    ObjectType: File\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-34527",
-                "CVE-2021-1675"
+                "CVE-2021-1675",
+                "CVE-2021-34527"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-1675/zeek_dce_rpc_exploit_cve_2021_1675_printnightmare_print_driver_install.json

@@ -12,8 +12,8 @@
             "rule_text": "title: Possible PrintNightmare Print Driver Install - CVE-2021-1675\nid: 7b33baef-2a75-4ca3-9da4-34f9a15382d8\nrelated:\n- id: 53389db6-ba46-48e3-a94c-e0f2cefe1583\n  type: derived\nstatus: stable\ndescription: 'Detects the remote installation of a print driver which is possible\n  indication of the exploitation of PrintNightmare (CVE-2021-1675).\n\n  The occurrence of print drivers being installed remotely via RPC functions should\n  be rare, as print drivers are normally installed locally and or through group policy.\n\n  '\nreferences:\n- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29\n- https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek\n- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\n- https://github.com/corelight/CVE-2021-1675\n- https://old.zeek.org/zeekweek2019/slides/bzar.pdf\n- https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/\nauthor: '@neu5ron (Nate Guagenti)'\ndate: 2021-08-23\nmodified: 2025-11-03\ntags:\n- attack.execution\n- cve.2021-1678\n- cve.2021-1675\n- cve.2021-34527\n- detection.emerging-threats\nlogsource:\n  product: zeek\n  service: dce_rpc\ndetection:\n  selection:\n    operation:\n    - RpcAsyncInstallPrinterDriverFromPackage\n    - RpcAsyncAddPrintProcessor\n    - RpcAddPrintProcessor\n    - RpcAddPrinterDriverEx\n    - RpcAddPrinterDriver\n    - RpcAsyncAddPrinterDriver\n  condition: selection\nfalsepositives:\n- Legitimate remote alteration of a printer driver.\nlevel: medium\n",
             "vulnerabilities": [
                 "CVE-2021-1678",
-                "CVE-2021-34527",
-                "CVE-2021-1675"
+                "CVE-2021-1675",
+                "CVE-2021-34527"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-20090/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Arcadyan Router Exploitations\nid: f0500377-bc70-425d-ac8c-e956cd906871\nstatus: test\ndescription: Detects exploitation of vulnerabilities in Arcadyan routers as reported\n  in CVE-2021-20090 and CVE-2021-20091.\nreferences:\n- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2\n- https://www.tenable.com/security/research/tra-2021-13\n- https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild\nauthor: Bhabesh Raj\ndate: 2021-08-24\nmodified: 2023-01-02\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2021-20090\n- cve.2021-20091\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  path_traversal:\n    cs-uri-query|contains: ..%2f\n  config_file_inj:\n    cs-uri-query|contains|all:\n    - ..%2f\n    - apply_abstract.cgi\n  noauth_list:\n    cs-uri-query|contains:\n    - /images/\n    - /js/\n    - /css/\n    - /setup_top_login.htm\n    - /login.html\n    - /loginerror.html\n    - /loginexclude.html\n    - /loginlock.html\n  condition: (path_traversal or config_file_inj) and noauth_list\nfalsepositives:\n- Unknown\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-20091",
-                "CVE-2021-20090"
+                "CVE-2021-20090",
+                "CVE-2021-20091"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential CVE-2021-26084 Exploitation Attempt\nid: 38825179-3c78-4fed-b222-2e2166b926b1\nstatus: test\ndescription: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using\n  OGNL injection\nreferences:\n- https://github.com/TesterCC/exp_poc_library/blob/be61622600ec79d8fba2fa5f816a870715f0cb3b/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md\n- https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md\n- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n- https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/\nauthor: Sittikorn S, Nuttakorn T\ndate: 2022-12-13\nmodified: 2023-03-24\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2021-26084\n- detection.emerging-threats\nlogsource:\n  category: webserver\n  definition: 'Requirements: The POST request body data must be collected in order\n    to make use of certain parts of this detection'\ndetection:\n  selection_main:\n    cs-method: POST\n    sc-status: 200\n    cs-username: anonymous\n  selection_exploit_1:\n    cs-uri-query|contains|all:\n    - /pages/createpage-entervariables.action\n    - SpaceKey=x\n  selection_exploit_2_uri:\n    cs-uri-query|contains: /doenterpagevariables.action\n  selection_exploit_2_keyword:\n  - u0027\n  condition: selection_main and (selection_exploit_1 or all of selection_exploit_2_*)\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2021-260841",
-                "CVE-2021-26084"
+                "CVE-2021-26084",
+                "CVE-2021-260841"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-33771/file_event_win_cve_2021_31979_cve_2021_33771_exploits.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum\nid: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef\nstatus: test\ndescription: Detects patterns as noticed in exploitation of Windows CVE-2021-31979\n  CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum\nreferences:\n- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\n- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\nauthor: Sittikorn S\ndate: 2021-07-16\nmodified: 2022-10-09\ntags:\n- attack.initial-access\n- attack.execution\n- attack.credential-access\n- attack.t1566\n- attack.t1203\n- cve.2021-33771\n- cve.2021-31979\n- detection.emerging-threats\nlogsource:\n  product: windows\n  category: file_event\ndetection:\n  selection:\n    TargetFilename|contains:\n    - C:\\Windows\\system32\\physmem.sys\n    - C:\\Windows\\System32\\IME\\IMEJP\\imjpueact.dll\n    - C:\\Windows\\system32\\ime\\IMETC\\IMTCPROT.DLL\n    - C:\\Windows\\system32\\ime\\SHARED\\imecpmeid.dll\n    - C:\\Windows\\system32\\config\\spp\\ServiceState\\Recovery\\pac.dat\n    - C:\\Windows\\system32\\config\\cy-GB\\Setup\\SKB\\InputMethod\\TupTask.dat\n    - C:\\Windows\\system32\\config\\config\\startwus.dat\n    - C:\\Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini\n    - C:\\Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini\n    - C:\\Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini\n  condition: selection\nfalsepositives:\n- Unlikely\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-33771",
-                "CVE-2021-31979"
+                "CVE-2021-31979",
+                "CVE-2021-33771"
             ]
         }
     ]