Update cve tags

rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml

@@ -10,13 +10,13 @@ date: 2021/02/01
 references:
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156
     - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
+    - https://nvd.nist.gov/vuln/detail/cve-2021-3156
 falsepositives:
     - Unknown
 level: critical
 tags:
     - attack.privilege_escalation
     - attack.t1068
-    - cve.2021-3156
 logsource:
     product: linux
     service: auditd

rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml

@@ -13,10 +13,10 @@ references:
     - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml
     - https://old.zeek.org/zeekweek2019/slides/bzar.pdf
     - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1678
 tags:
     - attack.execution
-    - cve.2021-1675
-    - cve.2021-1678
 logsource:
     product: zeek
     service: dce_rpc

rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml

@@ -9,11 +9,11 @@ level: critical
 references:
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858
     - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+    - https://nvd.nist.gov/vuln/detail/cve-2021-26858
 date: 2021/03/03
 tags:
     - attack.t1203
     - attack.execution
-    - cve.2021-26858
 logsource:
     category: file_event
     product: windows

rules/windows/file_event/win_cve_2021_1675_printspooler.yml

@@ -8,11 +8,12 @@ references:
     - https://github.com/hhlxf/PrintNightmare
     - https://github.com/afwu/PrintNightmare
     - https://github.com/cube0x0/CVE-2021-1675
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
 date: 2021/06/29
 modified: 2021/07/01
 tags:
     - attack.execution
-    - cve.2021-1675
+    - attack.privilege_escalation
 logsource:
     category: file_event
     product: windows

rules/windows/file_event/win_hivenightmare_file_exports.yml

@@ -9,11 +9,11 @@ references:
     - https://github.com/FireFart/hivenightmare/
     - https://github.com/WiredPulse/Invoke-HiveNightmare
     - https://twitter.com/cube0x0/status/1418920190759378944
+    - https://nvd.nist.gov/vuln/detail/cve-2021-36934
 logsource:
     product: windows
     category: file_event
 tags:
-    - cve.2021-36934
     - attack.credential_access
     - attack.t1552.001
 detection:

rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml

@@ -8,11 +8,11 @@ level: critical
 references:
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26857
     - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+    - https://nvd.nist.gov/vuln/detail/cve-2021-26857
 date: 2021/03/03
 tags:
     - attack.t1203
     - attack.execution
-    - cve.2021-26857
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml

@@ -6,13 +6,13 @@ author: Florian Roth
 date: 2021/07/14
 references:
     - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
+    - https://nvd.nist.gov/vuln/detail/cve-2021-35211
 logsource:
     category: process_creation
     product: windows
 tags:
     - attack.persistence
     - attack.t1136.001
-    - cve.2021-35211
     - threat_group.DEV-0322
 detection:
     selection1:

rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml

@@ -4,10 +4,11 @@ status: experimental
 description: Detects a suspicious printer driver installation with an empty Manufacturer value
 references:
     - https://twitter.com/SBousseaden/status/1410545674773467140
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
 author: Florian Roth
 date: 2020/07/01
 tags:
-    - cve.2021-1675
+    - attack.privilege_escalation
 logsource:
     category: registry_event
     product: windows

rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml

@@ -6,11 +6,11 @@ references:
   - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
   - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
   - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
+  - https://nvd.nist.gov/vuln/detail/cve-2021-1675
+  - https://nvd.nist.gov/vuln/detail/cve-2021-34527
 author: Markus Neis, @markus_neis, Florian Roth
 tags:
   - attack.execution
-  - cve.2021-1675
-  - cve.2021-34527
 date: 2021/07/04
 modified: 2021/07/28
 logsource:
@@ -37,4 +37,4 @@ detection:
   condition: selection or selection_alt or (selection_print and selection_kiwi)
 falsepositives:
   - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
-level: critical
+level: critical

tests/test_rules.py

@@ -86,7 +86,7 @@ class TestRules(unittest.TestCase):
                        continue
                    elif tag.startswith("cve."):
                        print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag))
-                      # files_with_incorrect_tags.append(file)
+                       files_with_incorrect_tags.append(file)
                    else:
                        print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag))
                       # files_with_incorrect_tags.append(file)