Sync Collecting Detection Rules: Wed May 20 08:43:10 UTC 2026

Signed-off-by: AboutCode Automation <automation@aboutcode.org>

Author: aboutcode-automation

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Exploit for CVE-2017-0261\nid: 864403a1-36c9-40a2-a982-4c9a45f7d833\nstatus: test\ndescription: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits\n  for CVE-2017-0261 and CVE-2017-0262\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-02-22\nmodified: 2021-11-27\ntags:\n- attack.execution\n- attack.t1203\n- attack.t1204.002\n- attack.initial-access\n- attack.t1566.001\n- cve.2017-0261\n- detection.emerging-threats\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\WINWORD.EXE\n    Image|contains: \\FLTLDR.exe\n  condition: selection\nfalsepositives:\n- Several false positives identified, check for suspicious file names or locations\n  (e.g. Temp folders)\nlevel: medium\n",
             "vulnerabilities": [
-                "CVE-2017-0261",
-                "CVE-2017-0262"
+                "CVE-2017-0262",
+                "CVE-2017-0261"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential CVE-2021-26084 Exploitation Attempt\nid: 38825179-3c78-4fed-b222-2e2166b926b1\nstatus: test\ndescription: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using\n  OGNL injection\nreferences:\n- https://github.com/TesterCC/exp_poc_library/blob/be61622600ec79d8fba2fa5f816a870715f0cb3b/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md\n- https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md\n- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n- https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/\nauthor: Sittikorn S, Nuttakorn T\ndate: 2022-12-13\nmodified: 2023-03-24\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2021-26084\n- detection.emerging-threats\nlogsource:\n  category: webserver\n  definition: 'Requirements: The POST request body data must be collected in order\n    to make use of certain parts of this detection'\ndetection:\n  selection_main:\n    cs-method: POST\n    sc-status: 200\n    cs-username: anonymous\n  selection_exploit_1:\n    cs-uri-query|contains|all:\n    - /pages/createpage-entervariables.action\n    - SpaceKey=x\n  selection_exploit_2_uri:\n    cs-uri-query|contains: /doenterpagevariables.action\n  selection_exploit_2_keyword:\n  - u0027\n  condition: selection_main and (selection_exploit_1 or all of selection_exploit_2_*)\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2021-26084",
-                "CVE-2021-260841"
+                "CVE-2021-260841",
+                "CVE-2021-26084"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-33771/file_event_win_cve_2021_31979_cve_2021_33771_exploits.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum\nid: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef\nstatus: test\ndescription: Detects patterns as noticed in exploitation of Windows CVE-2021-31979\n  CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum\nreferences:\n- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\n- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\nauthor: Sittikorn S\ndate: 2021-07-16\nmodified: 2022-10-09\ntags:\n- attack.initial-access\n- attack.execution\n- attack.credential-access\n- attack.t1566\n- attack.t1203\n- cve.2021-33771\n- cve.2021-31979\n- detection.emerging-threats\nlogsource:\n  product: windows\n  category: file_event\ndetection:\n  selection:\n    TargetFilename|contains:\n    - C:\\Windows\\system32\\physmem.sys\n    - C:\\Windows\\System32\\IME\\IMEJP\\imjpueact.dll\n    - C:\\Windows\\system32\\ime\\IMETC\\IMTCPROT.DLL\n    - C:\\Windows\\system32\\ime\\SHARED\\imecpmeid.dll\n    - C:\\Windows\\system32\\config\\spp\\ServiceState\\Recovery\\pac.dat\n    - C:\\Windows\\system32\\config\\cy-GB\\Setup\\SKB\\InputMethod\\TupTask.dat\n    - C:\\Windows\\system32\\config\\config\\startwus.dat\n    - C:\\Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini\n    - C:\\Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini\n    - C:\\Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini\n  condition: selection\nfalsepositives:\n- Unlikely\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-31979",
-                "CVE-2021-33771"
+                "CVE-2021-33771",
+                "CVE-2021-31979"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-33771/registry_set_cve_2021_31979_cve_2021_33771_exploits.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: CVE-2021-31979 CVE-2021-33771 Exploits\nid: 32b5db62-cb5f-4266-9639-0fa48376ac00\nstatus: test\ndescription: Detects patterns as noticed in exploitation of Windows CVE-2021-31979\n  CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum\nreferences:\n- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\n- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\nauthor: Sittikorn S, frack113\ndate: 2021-07-16\nmodified: 2023-08-17\ntags:\n- attack.initial-access\n- attack.execution\n- attack.credential-access\n- attack.t1566\n- attack.t1203\n- cve.2021-33771\n- cve.2021-31979\n- detection.emerging-threats\nlogsource:\n  product: windows\n  category: registry_set\ndetection:\n  selection:\n    TargetObject|endswith:\n    - CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32\\(Default)\n    - CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InProcServer32\\(Default)\n  filter:\n    Details|endswith:\n    - system32\\wbem\\wmiutils.dll\n    - system32\\wbem\\wbemsvc.dll\n  condition: selection and not filter\nfalsepositives:\n- Unlikely\nlevel: critical\n",
             "vulnerabilities": [
-                "CVE-2021-31979",
-                "CVE-2021-33771"
+                "CVE-2021-33771",
+                "CVE-2021-31979"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential Exploitation Attempt From Office Application\nid: 868955d9-697e-45d4-a3da-360cefd7c216\nstatus: test\ndescription: Detects Office applications executing a child process that includes directory\n  traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE)\n  or CVE-2021-40444 (MSHTML RCE)\nreferences:\n- https://twitter.com/sbousseaden/status/1531653369546301440\n- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444\n- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190\nauthor: Christian Burkard (Nextron Systems), @SBousseaden (idea)\ndate: 2022-06-02\nmodified: 2023-02-04\ntags:\n- attack.execution\n- cve.2021-40444\n- detection.emerging-threats\n- attack.stealth\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    ParentImage|endswith:\n    - \\winword.exe\n    - \\excel.exe\n    - \\powerpnt.exe\n    - \\msaccess.exe\n    - \\mspub.exe\n    - \\eqnedt32.exe\n    - \\visio.exe\n    CommandLine|contains:\n    - ../../../..\n    - ..\\..\\..\\..\n    - ..//..//..//..\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2022-30190",
-                "CVE-2021-40444"
+                "CVE-2021-40444",
+                "CVE-2022-30190"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-21919/win_system_exploit_cve_2022_21919_or_cve_2021_34484.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE\nid: 52a85084-6989-40c3-8f32-091e12e17692\nstatus: test\ndescription: 'Detects potential exploitation attempts of CVE-2022-21919 or CVE-2021-34484\n  leading to local privilege escalation via the User Profile Service.\n\n  During exploitation of this vulnerability, two logs (Provider_Name: Microsoft-Windows-User\n  Profiles Service) with EventID 1511 and 1515 are created (EventID 1515 may generate\n  many false positives).\n\n  Additionally, the directory \\Users\\TEMP may be created during exploitation. This\n  behavior was observed on Windows Server 2008.\n\n  '\nreferences:\n- https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html\nauthor: Cybex\ndate: 2022-08-16\nmodified: 2025-11-03\ntags:\n- attack.execution\n- detection.emerging-threats\n- cve.2022-21919\n- cve.2021-34484\nlogsource:\n  product: windows\n  service: application\ndetection:\n  selection:\n    EventID: 1511\n    Provider_Name: Microsoft-Windows-User Profiles Service\n  condition: selection\nfalsepositives:\n- Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx\nlevel: low\n",
             "vulnerabilities": [
-                "CVE-2022-21919",
-                "CVE-2021-34484"
+                "CVE-2021-34484",
+                "CVE-2022-21919"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-29799/lnx_exploit_cve_2022_27999_cve_2022_27800.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential Nimbuspwn Exploit CVE-2022-29799 and CVE-2022-27800\nid: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8\nstatus: test\ndescription: 'Detects potential exploitation attempts of Nimbuspwn vulnerabilities\n  CVE-2022-29799 and CVE-2022-27800 in Linux systems.\n\n  '\nreferences:\n- https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/\n- https://github.com/Immersive-Labs-Sec/nimbuspwn\nauthor: Bhabesh Raj\ndate: 2022-05-04\nmodified: 2025-11-03\ntags:\n- attack.privilege-escalation\n- attack.t1068\n- detection.emerging-threats\n- cve.2022-29799\n- cve.2022-27800\nlogsource:\n  product: linux\ndetection:\n  keywords:\n    '|all':\n    - networkd-dispatcher\n    - Error handling notification for interface\n    - ../../\n  condition: keywords\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2022-27800",
-                "CVE-2022-29799"
+                "CVE-2022-29799",
+                "CVE-2022-27800"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential CVE-2022-46169 Exploitation Attempt\nid: 738cb115-881f-4df3-82cc-56ab02fc5192\nstatus: test\ndescription: Detects potential exploitation attempts that target the Cacti Command\n  Injection CVE-2022-46169\nreferences:\n- https://github.com/0xf4n9x/CVE-2022-46169\n- https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf\n- https://github.com/rapid7/metasploit-framework/pull/17407\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-27\nmodified: 2023-01-02\ntags:\n- attack.initial-access\n- attack.t1190\n- cve.2022-46169\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  selection:\n    cs-method: GET\n    cs-uri-query|contains|all:\n    - /remote_agent.php\n    - action=polldata\n    - poller_id=\n    cs-uri-query|contains:\n    - '| base64 -d | /bin/bash`'\n    - '%7C%20base64%20-d%20%7C%20%2Fbin%2Fbash%60'\n    - '`whoami'\n    - powershell\n    - cmd\n    - wget\n  condition: selection\nfalsepositives:\n- Web vulnerability scanners\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2022-46169",
-                "GHSA-6P93-P743-35GF"
+                "GHSA-6P93-P743-35GF",
+                "CVE-2022-46169"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential CVE-2023-25157 Exploitation Attempt\nid: c0341543-5ed0-4475-aabc-7eea8c52aa66\nstatus: test\ndescription: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection\n  in GeoServer\nreferences:\n- https://github.com/win3zz/CVE-2023-25157\n- https://twitter.com/parzel2/status/1665726454489915395\n- https://github.com/advisories/GHSA-7g5f-wrx8-5ccf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-14\ntags:\n- attack.initial-access\n- cve.2023-25157\n- detection.emerging-threats\nlogsource:\n  category: webserver\ndetection:\n  selection_url:\n    cs-method: GET\n    cs-uri-query|contains|all:\n    - /geoserver/ows\n    - CQL_FILTER=\n    cs-uri-query|contains:\n    - PropertyIsLike\n    - strEndsWith\n    - strStartsWith\n    - FeatureId\n    - jsonArrayContains\n    - DWithin\n  selection_payload:\n    cs-uri-query|contains:\n    - +--\n    - +AS+\n    - +OR+\n    - FROM\n    - ORDER+BY\n    - SELECT\n    - sleep%28\n    - substring%28\n    - UNION\n    - WHERE\n  condition: all of selection_*\nfalsepositives:\n- Vulnerability scanners\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2023-25157",
-                "GHSA-7G5F-WRX8-5CCF"
+                "GHSA-7G5F-WRX8-5CCF",
+                "CVE-2023-25157"
             ]
         }
     ]

data/sigma/006d8a4d6e3ea24949907ea9c22f1d5b06467ceaa9e35c49aa44866c854c8901/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.json

@@ -11,8 +11,8 @@
             },
             "rule_text": "title: Potential CVE-2303-36884 URL Request Pattern Traffic\nid: d9365e39-febd-4a4b-8441-3ca91bb9d333\nstatus: test\ndescription: Detects a specific URL pattern containing a specific extension and parameters\n  pointing to an IP address. This pattern was seen being used by RomCOM potentially\n  exploiting CVE-2023-36884\nreferences:\n- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit\nauthor: X__Junior\ndate: 2023-07-12\ntags:\n- attack.command-and-control\n- cve.2023-36884\n- detection.emerging-threats\nlogsource:\n  category: proxy\ndetection:\n  selection:\n    cs-method: GET\n    c-uri|re: \\.(zip|asp|htm|url|xml|chm|mht|vbs|search-ms)\\?d=[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n",
             "vulnerabilities": [
-                "CVE-2303-36884",
-                "CVE-2023-36884"
+                "CVE-2023-36884",
+                "CVE-2303-36884"
             ]
         }
     ]