Create win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml

rules/windows/builtin/system/win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml

@@ -0,0 +1,21 @@
+title: Suspicious usage of CVE 2022_21919 or CVE_2021_34484
+id: 52a85084-6989-40c3-8f32-091e12e13f09
+status: test
+description: During exploitation of this vuln, It appears when the directory \Users\TEMP is created, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 are created. Viewed on 2008 Server
+author: Sorcha
+references:
+  - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html
+date: 22/08/16
+logsource:
+  product: windows
+  service: Profile Service
+detection:    
+      EventID:
+          - 1511   
+          - 1515                      
+      System.ProviderName: 'Microsoft-Windows-User Profiles Service'
+falsepositives:
+  - Unknown
+level: high
+tags:  
+  - attack.execution