From 2bd24966c2fa251b304bfcfd9273cc4a973aaa01 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 15 Oct 2023 20:39:13 +0200 Subject: [PATCH] Merge PR #4480 From @frack113 - Upgrade ET Rules Status chore: Upgrade status level from `experimental` to `test` for emerging-threats rules that have not changed in 300 days --- .../CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml | 2 +- ...win_security_exploit_cve_2021_1675_printspooler_security.yml | 2 +- .../file_event_win_cve_2021_44077_poc_default_files.yml | 2 +- .../2021/Exploits/win_exchange_cve_2021_42321.yml | 2 +- rules-emerging-threats/2021/Exploits/win_vul_cve_2021_41379.yml | 2 +- .../CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml | 2 +- .../Bumblebee/create_remote_thread_win_malware_bumblebee.yml | 2 +- .../proc_creation_win_malware_hermetic_wiper_activity.yml | 2 +- rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml index ae07180be..316cbe81d 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml @@ -1,6 +1,6 @@ title: Possible CVE-2021-1675 Print Spooler Exploitation id: 4e64668a-4da1-49f5-a8df-9e2d5b866718 -status: experimental +status: test description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675 references: - https://github.com/hhlxf/PrintNightmare diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml index 354a06335..ba211de2f 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml @@ -1,6 +1,6 @@ title: CVE-2021-1675 Print Spooler Exploitation IPC Access id: 8fe1c584-ee61-444b-be21-e9054b229694 -status: experimental +status: test description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527 references: - https://twitter.com/INIT_3/status/1410662463641731075 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml index 62cc66152..ae1fa7ec4 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml @@ -1,6 +1,6 @@ title: CVE-2021-44077 POC Default Dropped File id: 7b501acf-fa98-4272-aa39-194f82edc8a3 -status: experimental +status: test description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section) references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ diff --git a/rules-emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml b/rules-emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml index 09b11ad9c..2aa9f1734 100644 --- a/rules-emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml +++ b/rules-emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml @@ -1,6 +1,6 @@ title: Possible Exploitation of Exchange RCE CVE-2021-42321 id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb -status: experimental +status: test description: Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321 references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 diff --git a/rules-emerging-threats/2021/Exploits/win_vul_cve_2021_41379.yml b/rules-emerging-threats/2021/Exploits/win_vul_cve_2021_41379.yml index 08ba177eb..b5fc25ab7 100644 --- a/rules-emerging-threats/2021/Exploits/win_vul_cve_2021_41379.yml +++ b/rules-emerging-threats/2021/Exploits/win_vul_cve_2021_41379.yml @@ -1,6 +1,6 @@ title: LPE InstallerFileTakeOver PoC CVE-2021-41379 id: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8 -status: experimental +status: test description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379 references: - https://github.com/klinix5/InstallerFileTakeOver diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml index e846559e3..399bc9f7f 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml @@ -1,6 +1,6 @@ title: CVE-2022-24527 Microsoft Connected Cache LPE id: e0a41412-c69a-446f-8e6e-0e6d7483dad7 -status: experimental +status: test description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache references: - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/ diff --git a/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml b/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml index 712e228bd..0b71e049a 100644 --- a/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml +++ b/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml @@ -1,6 +1,6 @@ title: Potential Bumblebee Remote Thread Creation id: 994cac2b-92c2-44bf-8853-14f6ca39fbda -status: experimental +status: test description: Detects remote thread injection events based on action seen used by bumblebee references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ diff --git a/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml b/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml index 2a22274bc..85ed258bd 100644 --- a/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml +++ b/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml @@ -1,6 +1,6 @@ title: Hermetic Wiper TG Process Patterns id: 2f974656-6d83-4059-bbdf-68ac5403422f -status: experimental +status: test description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia diff --git a/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml b/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml index f5c433643..f0c70b2a7 100644 --- a/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml +++ b/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml @@ -1,6 +1,6 @@ title: MSSQL Extended Stored Procedure Backdoor Maggie id: 711ab2fe-c9ba-4746-8840-5228a58c3cb8 -status: experimental +status: test description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server references: - https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01