Merge PR #5740 from @swachchhanda000 - chore: reorganize threat specific rules into rules-emerging-threats directory

chore: reorganize threat specific rules into rules-emerging-threats directory --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2025-11-10 16:45:08 +05:45
parent 43b6fae2a0
commit c6fcff5cff
23 changed files with 56 additions and 43 deletions
@@ -11,6 +11,7 @@ modified: 2022-10-09
 tags:
    - attack.command-and-control
    - attack.t1105
+    - detection.emerging-threats
 logsource:
    category: registry_event
    product: windows
@@ -10,6 +10,8 @@ modified: 2021-11-27
 tags:
    - attack.reconnaissance
    - attack.t1589
+    - cve.2018-15473
+    - detection.emerging-threats
 logsource:
    product: linux
    service: sshd
@@ -12,6 +12,8 @@ tags:
    - attack.lateral-movement
    - attack.t1210
    - car.2013-07-002
+    - detection.emerging-threats
+    - cve.2019-0708
 logsource:
    product: windows
    service: security
@@ -12,6 +12,8 @@ tags:
    - attack.lateral-movement
    - attack.t1210
    - car.2013-07-002
+    - cve.2019-0708
+    - detection.emerging-threats
 logsource:
    product: windows
    service: system
@@ -18,6 +18,7 @@ tags:
    - attack.t1068
    - attack.t1548.003
    - cve.2019-14287
+    - detection.emerging-threats
 logsource:
    product: linux
    service: sudo
@@ -15,6 +15,7 @@ tags:
    - attack.t1068
    - attack.t1548.003
    - cve.2019-14287
+    - detection.emerging-threats
 logsource:
    product: linux
    category: process_creation
@@ -16,6 +16,7 @@ tags:
    - attack.persistence
    - attack.t1112
    - attack.t1047
+    - detection.emerging-threats
 logsource:
    product: windows
    category: registry_set
@@ -14,6 +14,8 @@ tags:
    - attack.privilege-escalation
    - attack.t1055
    - detection.emerging-threats
+    - cve.2021-34527
+    - cve.2021-1675
 logsource:
    category: antivirus
 detection:
@@ -14,6 +14,7 @@ tags:
    - attack.privilege-escalation
    - attack.t1574
    - cve.2021-1675
+    - detection.emerging-threats
 logsource:
    category: file_delete
    product: windows
@@ -25,7 +25,4 @@ detection:
    condition: selection
 falsepositives:
    - Unknown
-fields:
-    - ComputerName
-    - TargetFilename
 level: critical
@@ -1,7 +1,8 @@
 title: Windows Spooler Service Suspicious Binary Load
 id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14
 status: test
-description: Detect DLL Load from Spooler Service backup folder
+description: |
+    Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare).
 references:
    - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
    - https://github.com/ly4k/SpoolFool
@@ -15,6 +16,7 @@ tags:
    - attack.t1574
    - cve.2021-1675
    - cve.2021-34527
+    - detection.emerging-threats
 logsource:
    category: image_load
    product: windows
@@ -16,6 +16,7 @@ tags:
    - attack.t1204
    - cve.2021-1675
    - cve.2021-34527
+    - detection.emerging-threats
 logsource:
    product: windows
    category: registry_event
@@ -1,4 +1,4 @@
-title: Possible PrintNightmare Print Driver Install
+title: Possible PrintNightmare Print Driver Install - CVE-2021-1675
 id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8
 related:
    - id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
@@ -14,15 +14,15 @@ references:
    - https://github.com/corelight/CVE-2021-1675
    - https://old.zeek.org/zeekweek2019/slides/bzar.pdf
    - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
-
 author: '@neu5ron (Nate Guagenti)'
 date: 2021-08-23
-modified: 2022-07-07
+modified: 2025-11-03
 tags:
    - attack.execution
    - cve.2021-1678
    - cve.2021-1675
    - cve.2021-34527
+    - detection.emerging-threats
 logsource:
    product: zeek
    service: dce_rpc
@@ -36,14 +36,6 @@ detection:
            - 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09
            - 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27
    condition: selection
-fields:
-    - id.orig_h
-    - id.resp_h
-    - id.resp_p
-    - operation
-    - endpoint
-    - named_pipe
-    - uid
 falsepositives:
    - Legitimate remote alteration of a printer driver.
 level: medium
@@ -1,16 +1,16 @@
-title: OMIGOD HTTP No Authentication RCE
+title: OMIGOD HTTP No Authentication RCE - CVE-2021-38647
 id: ab6b1a39-a9ee-4ab4-b075-e83acf6e346b
 status: stable
 description: |
-  Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.
-  Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).
-  Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
+    Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.
+    Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).
+    Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
 references:
    - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
    - https://twitter.com/neu5ron/status/1438987292971053057?s=20
 author: Nate Guagenti (neu5ron)
 date: 2021-09-20
-modified: 2019-09-20
+modified: 2025-11-03
 tags:
    - attack.privilege-escalation
    - attack.initial-access
@@ -21,6 +21,8 @@ tags:
    - attack.t1203
    - attack.t1021.006
    - attack.t1210
+    - detection.emerging-threats
+    - cve.2021-38647
 logsource:
    product: zeek
    service: http
@@ -41,16 +43,6 @@ detection:
    #        -  1270
    condition: selection and not auth_header and not too_small_http_client_body
    # condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule
-fields:
-    - id.orig_h
-    - id.resp_h
-    - id.resp_p
-    - status_code
-    - method
-    - uri
-    - request_body_len
-    - response_body_len
-    - user_agent
 falsepositives:
    - Exploits that were attempted but unsuccessful.
    - Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips.
@@ -11,6 +11,8 @@ tags:
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1548.001
+    - detection.emerging-threats
+    - cve.2021-4034
 logsource:
    product: linux
    service: auth
@@ -16,6 +16,8 @@ modified: 2023-04-14
 tags:
    - attack.credential-access
    - attack.t1558.003
+    - detection.emerging-threats
+    - cve.2021-42287
 logsource:
    product: windows
    service: system
@@ -28,6 +30,4 @@ detection:
    condition: selection
 falsepositives:
    - Unknown
-fields:
-    - samAccountName
 level: medium
@@ -10,17 +10,17 @@ references:
    - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
 author: Christopher Peacock
 date: 2021-10-07
-modified: 2023-02-07
+modified: 2025-11-03
 tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.t1112
+    - detection.emerging-threats
 logsource:
    product: windows
    category: registry_add
 detection:
    selection:
-        EventType: CreateKey
        # The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary
        TargetObject|contains: '\software\NetWire'
    condition: selection
@@ -1,14 +1,20 @@
-title: Suspicious Usage of CVE_2021_34484 or CVE 2022_21919
+title: Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE
 id: 52a85084-6989-40c3-8f32-091e12e17692
 status: test
-description: During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server
+description: |
+    Detects potential exploitation attempts of CVE-2022-21919 or CVE-2021-34484 leading to local privilege escalation via the User Profile Service.
+    During exploitation of this vulnerability, two logs (Provider_Name: Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 are created (EventID 1515 may generate many false positives).
+    Additionally, the directory \Users\TEMP may be created during exploitation. This behavior was observed on Windows Server 2008.
 references:
    - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html
 author: Cybex
 date: 2022-08-16
-modified: 2023-05-02
+modified: 2025-11-03
 tags:
    - attack.execution
+    - detection.emerging-threats
+    - cve.2022-21919
+    - cve.2021-34484
 logsource:
    product: windows
    service: application
@@ -15,6 +15,7 @@ tags:
    - attack.t1190
    - attack.t1059
    - cve.2022-26134
+    - detection.emerging-threats
 logsource:
    category: process_creation
    product: linux
@@ -1,16 +1,20 @@
-title: Nimbuspwn Exploitation
+title: Potential Nimbuspwn Exploit CVE-2022-29799 and CVE-2022-27800
 id: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8
 status: test
-description: Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)
+description: |
+    Detects potential exploitation attempts of Nimbuspwn vulnerabilities CVE-2022-29799 and CVE-2022-27800 in Linux systems.
 references:
    - https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
    - https://github.com/Immersive-Labs-Sec/nimbuspwn
 author: Bhabesh Raj
 date: 2022-05-04
-modified: 2023-01-23
+modified: 2025-11-03
 tags:
    - attack.privilege-escalation
    - attack.t1068
+    - detection.emerging-threats
+    - cve.2022-29799
+    - cve.2022-27800
 logsource:
    product: linux
 detection:
@@ -12,6 +12,7 @@ tags:
    - attack.initial-access
    - attack.t1190
    - cve.2022-33891
+    - detection.emerging-threats
 logsource:
    product: linux
    category: process_creation
@@ -1,4 +1,4 @@
-title: KDC RC4-HMAC Downgrade CVE-2022-37966
+title: Potential KDC RC4-HMAC Downgrade Exploit - CVE-2022-37966
 id: e6f81941-b1cd-4766-87db-9fc156f658ee
 status: test
 description: Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
@@ -6,9 +6,11 @@ references:
    - https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d
 author: Florian Roth (Nextron Systems)
 date: 2022-11-09
-modified: 2025-09-22
+modified: 2025-11-03
 tags:
    - attack.privilege-escalation
+    - detection.emerging-threats
+    - cve.2022-37966
 logsource:
    product: windows
    service: system
@@ -11,8 +11,8 @@ references:
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-01-16
 tags:
-    - attack.command-and-control
    - attack.t1071.004
+    - attack.command-and-control
 logsource:
    product: windows
    service: dns-client