From 1bc4e9f430c07e44d0dc0fb0322cd2a165218772 Mon Sep 17 00:00:00 2001
From: sorchaa <37829781+sorchaa@users.noreply.github.com>
Date: Tue, 16 Aug 2022 17:49:53 +0200
Subject: [PATCH] Create win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml

---
 ..._vuln_cve_2022_21919_or_cve_2021_34484.yml | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 rules/windows/builtin/system/win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml

diff --git a/rules/windows/builtin/system/win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml b/rules/windows/builtin/system/win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml
new file mode 100644
index 000000000..bc7e02d54
--- /dev/null
+++ b/rules/windows/builtin/system/win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml
@@ -0,0 +1,21 @@
+title: Suspicious usage of CVE 2022_21919 or CVE_2021_34484
+id: 52a85084-6989-40c3-8f32-091e12e13f09
+status: test
+description: During exploitation of this vuln, It appears when the directory \Users\TEMP is created, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 are created. Viewed on 2008 Server
+author: Sorcha
+references:
+  - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html
+date: 22/08/16
+logsource:
+  product: windows
+  service: Profile Service
+detection:    
+      EventID:
+          - 1511   
+          - 1515                      
+      System.ProviderName: 'Microsoft-Windows-User Profiles Service'
+falsepositives:
+  - Unknown
+level: high
+tags:  
+  - attack.execution