From ace46c17bee09d8d331dcd22d5551b2516d26773 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Tue, 24 Aug 2021 10:27:27 +0200
Subject: [PATCH] Update cve tags

---
 .../win_exploit_cve_2021_1675_printspooler.yml    |  2 +-
 ...xploit_cve_2021_1675_printspooler_Security.yml |  4 ++--
 ...oit_cve_2021_1675_printspooler_operational.yml |  2 +-
 .../driver_load/sysmon_vuln_dell_driver_load.yml  |  3 ++-
 .../win_cve_2021_1675_printspooler_del.yml        | 11 +++++------
 .../image_load/sysmon_spoolsv_dll_load.yml        | 15 ++++++---------
 .../win_susp_servu_process_pattern.yml            |  3 ++-
 7 files changed, 19 insertions(+), 21 deletions(-)

diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml
index 62e123578..26866f88b 100644
--- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml
+++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml
@@ -8,11 +8,11 @@ references:
     - https://github.com/hhlxf/PrintNightmare
     - https://github.com/afwu/PrintNightmare
     - https://twitter.com/fuzzyf10w/status/1410202370835898371
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
 date: 2021/06/30
 modified: 2021/07/08
 tags:
     - attack.execution
-    - cve.2021-1675
 logsource:
     product: windows
     service: printservice-admin
diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml
index ce921b989..d36b0ea47 100644
--- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml
+++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml
@@ -6,11 +6,11 @@ status: experimental
 level: critical
 references:
     - https://twitter.com/INIT_3/status/1410662463641731075
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
+    - https://nvd.nist.gov/vuln/detail/cve-2021-34527
 date: 2021/07/02
 tags:
     - attack.execution
-    - cve.2021-1675
-    - cve.2021-34527
 logsource:
     product: windows
     service: security
diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml
index 9b2fa1744..4fbbee51d 100644
--- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml
+++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml
@@ -6,10 +6,10 @@ status: experimental
 level: critical
 references:
     - https://twitter.com/MalwareJake/status/1410421967463731200
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
 date: 2021/07/01
 tags:
     - attack.execution
-    - cve.2021-1675
 logsource:
     product: windows
     service: printservice-operational
diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml
index 21868b8af..ea92afb40 100644
--- a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml
+++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml
@@ -5,11 +5,12 @@ author: Florian Roth
 date: 2021/05/05
 references:
     - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
+    - https://nvd.nist.gov/vuln/detail/cve-2021-21551
 logsource:
     category: driver_load
     product: windows
 tags:
-    - cve.2021-21551
+    - attack.privilege_escalation
 detection:
     selection_image:
         ImageLoaded|contains: '\DBUtil_2_3.Sys'
diff --git a/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml b/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml
index 1b97f004c..397a66b13 100644
--- a/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml
+++ b/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml
@@ -5,24 +5,23 @@ description: Detect DLL deletions from Spooler Service driver folder
 references:
     - https://github.com/hhlxf/PrintNightmare
     - https://github.com/cube0x0/CVE-2021-1675
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
 author: Bhabesh Raj
 date: 2021/07/01
+modified: 2021/08/24
 tags:
     - attack.persistence
     - attack.defense_evasion
     - attack.privilege_escalation
     - attack.t1574
-    - cve.2021-1675
 logsource:
     category: file_delete
     product: windows
 detection:
     selection:
-        Image|endswith:
-            - 'spoolsv.exe'
-        TargetFilename|contains:
-            - 'C:\Windows\System32\spool\drivers\x64\3\'
+        Image|endswith: 'spoolsv.exe'
+        TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\'
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/image_load/sysmon_spoolsv_dll_load.yml b/rules/windows/image_load/sysmon_spoolsv_dll_load.yml
index e51c20cdd..38e94f804 100644
--- a/rules/windows/image_load/sysmon_spoolsv_dll_load.yml
+++ b/rules/windows/image_load/sysmon_spoolsv_dll_load.yml
@@ -4,27 +4,24 @@ status: experimental
 description: Detect DLL Load from Spooler Service backup folder
 references:
     - https://github.com/hhlxf/PrintNightmare
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
+    - https://nvd.nist.gov/vuln/detail/cve-2021-34527
 author: FPT.EagleEye, Thomas Patzke (improvements)
 date: 2021/06/29
-modified: 2021/07/08
+modified: 2021/08/24
 tags:
     - attack.persistence
     - attack.defense_evasion
     - attack.privilege_escalation
     - attack.t1574
-    - cve.2021-1675
-    - cve.2021-34527
 logsource:
     category: image_load
     product: windows
 detection:
     selection:
-        Image|endswith:
-            - 'spoolsv.exe'
-        ImageLoaded|contains:
-            - '\Windows\System32\spool\drivers\x64\3\'
-        ImageLoaded|endswith:
-            - '.dll'
+        Image|endswith: 'spoolsv.exe'
+        ImageLoaded|contains: '\Windows\System32\spool\drivers\x64\3\'
+        ImageLoaded|endswith: '.dll'
     condition: selection
 falsepositives:
     - Loading of legitimate driver
diff --git a/rules/windows/process_creation/win_susp_servu_process_pattern.yml b/rules/windows/process_creation/win_susp_servu_process_pattern.yml
index 097a6ae6e..90b50893a 100644
--- a/rules/windows/process_creation/win_susp_servu_process_pattern.yml
+++ b/rules/windows/process_creation/win_susp_servu_process_pattern.yml
@@ -6,11 +6,12 @@ author: Florian Roth
 date: 2021/07/14
 references:
     - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
+    - https://nvd.nist.gov/vuln/detail/cve-2021-35211
 logsource:
     category: process_creation
     product: windows
 tags:
-    - cve.2021-35211
+    - attack.credential_access
 detection:
     selection:
         ParentImage|endswith: '\Serv-U.exe'