Add cve tags

rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml

@@ -7,13 +7,12 @@ author: Bhabesh Raj
 status: experimental
 level: critical
 references:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858
     - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
-    - https://nvd.nist.gov/vuln/detail/cve-2021-26858
 date: 2021/03/03
 tags:
     - attack.t1203
     - attack.execution
+    - cve.2021.26858
 logsource:
     category: file_event
     product: windows

rules/windows/process_creation/win_exploit_cve_2020_10189.yml

@@ -4,8 +4,6 @@ status: experimental
 description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
 references:
     - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
-    - https://nvd.nist.gov/vuln/detail/CVE-2020-10189
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189
     - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
 author: Florian Roth
 date: 2020/03/25
@@ -18,6 +16,7 @@ tags:
     - attack.t1059.003
     - attack.t1059  # an old one
     - attack.s0190    
+    - cve.2020.10189
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml

@@ -6,13 +6,13 @@ author: Florian Roth
 date: 2021/07/14
 references:
     - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
-    - https://nvd.nist.gov/vuln/detail/cve-2021-35211
 logsource:
     category: process_creation
     product: windows
 tags:
     - attack.persistence
     - attack.t1136.001
+    - cve.2021.35211
     # - threat_group.DEV-0322
 detection:
     selection1:

rules/windows/process_creation/win_susp_servu_process_pattern.yml

@@ -6,12 +6,12 @@ author: Florian Roth
 date: 2021/07/14
 references:
     - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
-    - https://nvd.nist.gov/vuln/detail/cve-2021-35211
 logsource:
     category: process_creation
     product: windows
 tags:
     - attack.credential_access
+    - cve.2021.35211
 detection:
     selection:
         ParentImage|endswith: '\Serv-U.exe'

rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml

@@ -8,12 +8,12 @@ modified: 2021/09/09
 references:
     - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
     - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
-    - https://nvd.nist.gov/vuln/detail/cve-2021-33771
-    - https://nvd.nist.gov/vuln/detail/cve-2021-31979
 tags:
     - attack.credential_access
     - attack.t1566
     - attack.t1203
+    - cve.2021.33771
+    - cve.2021.31979
     # - threat_group.Sourgum
 logsource:
     product: windows

rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml

@@ -4,11 +4,11 @@ status: experimental
 description: Detects a suspicious printer driver installation with an empty Manufacturer value
 references:
     - https://twitter.com/SBousseaden/status/1410545674773467140
-    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
 author: Florian Roth
 date: 2020/07/01
 tags:
     - attack.privilege_escalation
+    - cve.2021.1675
 logsource:
     category: registry_event
     product: windows

rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml

@@ -6,11 +6,11 @@ references:
   - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
   - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
   - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
-  - https://nvd.nist.gov/vuln/detail/cve-2021-1675
-  - https://nvd.nist.gov/vuln/detail/cve-2021-34527
 author: Markus Neis, @markus_neis, Florian Roth
 tags:
   - attack.execution
+  - cve.2021.1675
+  - cve.2021.34527
 date: 2021/07/04
 modified: 2021/07/28
 logsource:

tests/test_rules.py

@@ -75,20 +75,13 @@ class TestRules(unittest.TestCase):
                         
     def test_optional_tags(self):
         files_with_incorrect_tags = []
-
+        tags_pattern = re.compile(r"cve\.\d+\.\d+|attack\.t\d+\.*\d*|attack\.[a-z_]+|car\.\d{4}-\d{2}-\d{3}")
         for file in self.yield_next_rule_file_path(self.path_to_rules):
             tags = self.get_rule_part(file_path=file, part_name="tags")
             if tags:
                 for tag in tags:
-                    if tag.startswith("attack."):
-                        continue
-                    elif tag.startswith("car."):
-                        continue
-                    elif tag.startswith("cve."):
-                        print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag))
-                        files_with_incorrect_tags.append(file)
-                    else:
-                        print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag))
+                    if tags_pattern.match(tag) == None:
+                        print(Fore.RED + "Rule {} has the invalid tag <{}>".format(file, tag))
                         files_with_incorrect_tags.append(file)
 
         self.assertEqual(files_with_incorrect_tags, [], Fore.RED + 
@@ -450,7 +443,7 @@ class TestRules(unittest.TestCase):
                          "There are rules with malformed optional 'falsepositives' fields. (has to be a list of values even if it contains only a single value)")
 
     # Upgrade Detection Rule License  1.1
-    def test_author(self):
+    def test_optional_author(self):
         faulty_rules = []
         for file in self.yield_next_rule_file_path(self.path_to_rules):
             author_str = self.get_rule_part(file_path=file, part_name="author")
@@ -459,9 +452,6 @@ class TestRules(unittest.TestCase):
                 if not isinstance(author_str, str):
                     print(Fore.YELLOW + "Rule {} has a 'author' field that isn't a string.".format(file))
                     faulty_rules.append(file)
-            else:
-                print(Fore.YELLOW + "Rule {} has no 'author' field".format(file))
-                faulty_rules.append(file)
 
         self.assertEqual(faulty_rules, [], Fore.RED + 
                          "There are rules with malformed 'author' fields. (has to be a string even if it contains many author)")