diff --git a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml b/rules-emerging-threats/2017/TA/Pandemic/registry_event_apt_pandemic.yml similarity index 94% rename from rules/windows/registry/registry_event/registry_event_apt_pandemic.yml rename to rules-emerging-threats/2017/TA/Pandemic/registry_event_apt_pandemic.yml index 2ef031e2a..c14d17f97 100755 --- a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml +++ b/rules-emerging-threats/2017/TA/Pandemic/registry_event_apt_pandemic.yml @@ -11,6 +11,7 @@ modified: 2022-10-09 tags: - attack.command-and-control - attack.t1105 + - detection.emerging-threats logsource: category: registry_event product: windows diff --git a/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml b/rules-emerging-threats/2018/Exploits/CVE-2018-15473/lnx_sshd_exploit_cve_2018_15473.yml similarity index 91% rename from rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml rename to rules-emerging-threats/2018/Exploits/CVE-2018-15473/lnx_sshd_exploit_cve_2018_15473.yml index 3975548b9..2cab170d2 100644 --- a/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml +++ b/rules-emerging-threats/2018/Exploits/CVE-2018-15473/lnx_sshd_exploit_cve_2018_15473.yml @@ -10,6 +10,8 @@ modified: 2021-11-27 tags: - attack.reconnaissance - attack.t1589 + - cve.2018-15473 + - detection.emerging-threats logsource: product: linux service: sshd diff --git a/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-0708/win_security_exploit_cve_2019_0708_scanner_poc.yml similarity index 93% rename from rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml rename to rules-emerging-threats/2019/Exploits/CVE-2019-0708/win_security_exploit_cve_2019_0708_scanner_poc.yml index 8a9229e2e..a315aa526 100644 --- a/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-0708/win_security_exploit_cve_2019_0708_scanner_poc.yml @@ -12,6 +12,8 @@ tags: - attack.lateral-movement - attack.t1210 - car.2013-07-002 + - detection.emerging-threats + - cve.2019-0708 logsource: product: windows service: security diff --git a/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-0708/win_system_exploit_cve_2019_0708.yml similarity index 93% rename from rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml rename to rules-emerging-threats/2019/Exploits/CVE-2019-0708/win_system_exploit_cve_2019_0708.yml index 28bc787bb..d97cbcd7a 100644 --- a/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-0708/win_system_exploit_cve_2019_0708.yml @@ -12,6 +12,8 @@ tags: - attack.lateral-movement - attack.t1210 - car.2013-07-002 + - cve.2019-0708 + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-14287/lnx_sudo_exploit_cve_2019_14287.yml similarity index 96% rename from rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml rename to rules-emerging-threats/2019/Exploits/CVE-2019-14287/lnx_sudo_exploit_cve_2019_14287.yml index c5ec998e0..c2c9352ad 100644 --- a/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-14287/lnx_sudo_exploit_cve_2019_14287.yml @@ -18,6 +18,7 @@ tags: - attack.t1068 - attack.t1548.003 - cve.2019-14287 + - detection.emerging-threats logsource: product: linux service: sudo diff --git a/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-14287/proc_creation_lnx_exploit_cve_2019_14287.yml similarity index 96% rename from rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml rename to rules-emerging-threats/2019/Exploits/CVE-2019-14287/proc_creation_lnx_exploit_cve_2019_14287.yml index 1a439819d..7c173ce41 100644 --- a/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-14287/proc_creation_lnx_exploit_cve_2019_14287.yml @@ -15,6 +15,7 @@ tags: - attack.t1068 - attack.t1548.003 - cve.2019-14287 + - detection.emerging-threats logsource: product: linux category: process_creation diff --git a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/rules-emerging-threats/2020/Malware/Blue-Mockingbird/registry_set_mal_blue_mockingbird.yml similarity index 95% rename from rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml rename to rules-emerging-threats/2020/Malware/Blue-Mockingbird/registry_set_mal_blue_mockingbird.yml index 4002f7483..584750849 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml +++ b/rules-emerging-threats/2020/Malware/Blue-Mockingbird/registry_set_mal_blue_mockingbird.yml @@ -16,6 +16,7 @@ tags: - attack.persistence - attack.t1112 - attack.t1047 + - detection.emerging-threats logsource: product: windows category: registry_set diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_exploit_cve_2021_34527_print_nightmare.yml similarity index 96% rename from rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml rename to rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_exploit_cve_2021_34527_print_nightmare.yml index e077fc20d..b0c2e4be7 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_exploit_cve_2021_34527_print_nightmare.yml @@ -14,6 +14,8 @@ tags: - attack.privilege-escalation - attack.t1055 - detection.emerging-threats + - cve.2021-34527 + - cve.2021-1675 logsource: category: antivirus detection: diff --git a/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_delete_win_exploit_cve_2021_1675_print_nightmare.yml similarity index 96% rename from rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml rename to rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_delete_win_exploit_cve_2021_1675_print_nightmare.yml index 737c29259..aa8978887 100644 --- a/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_delete_win_exploit_cve_2021_1675_print_nightmare.yml @@ -14,6 +14,7 @@ tags: - attack.privilege-escalation - attack.t1574 - cve.2021-1675 + - detection.emerging-threats logsource: category: file_delete product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_exploit_cve_2021_1675_printspooler.yml similarity index 95% rename from rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml rename to rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_exploit_cve_2021_1675_printspooler.yml index 230f38411..79774358c 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_exploit_cve_2021_1675_printspooler.yml @@ -25,7 +25,4 @@ detection: condition: selection falsepositives: - Unknown -fields: - - ComputerName - - TargetFilename level: critical diff --git a/rules/windows/image_load/image_load_spoolsv_dll_load.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/image_load_exploit_cve_2021_1675_spoolsv_dll_load.yml similarity index 78% rename from rules/windows/image_load/image_load_spoolsv_dll_load.yml rename to rules-emerging-threats/2021/Exploits/CVE-2021-1675/image_load_exploit_cve_2021_1675_spoolsv_dll_load.yml index 597d14b93..2b01ae6fe 100644 --- a/rules/windows/image_load/image_load_spoolsv_dll_load.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/image_load_exploit_cve_2021_1675_spoolsv_dll_load.yml @@ -1,7 +1,8 @@ title: Windows Spooler Service Suspicious Binary Load id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14 status: test -description: Detect DLL Load from Spooler Service backup folder +description: | + Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare). references: - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ - https://github.com/ly4k/SpoolFool @@ -15,6 +16,7 @@ tags: - attack.t1574 - cve.2021-1675 - cve.2021-34527 + - detection.emerging-threats logsource: category: image_load product: windows diff --git a/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/registry_event_cve_2021_1675_mimikatz_printernightmare_drivers.yml similarity index 98% rename from rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml rename to rules-emerging-threats/2021/Exploits/CVE-2021-1675/registry_event_cve_2021_1675_mimikatz_printernightmare_drivers.yml index 7a8481464..3c8e9faec 100644 --- a/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/registry_event_cve_2021_1675_mimikatz_printernightmare_drivers.yml @@ -16,6 +16,7 @@ tags: - attack.t1204 - cve.2021-1675 - cve.2021-34527 + - detection.emerging-threats logsource: product: windows category: registry_event diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/zeek_dce_rpc_exploit_cve_2021_1675_printnightmare_print_driver_install.yml similarity index 90% rename from rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml rename to rules-emerging-threats/2021/Exploits/CVE-2021-1675/zeek_dce_rpc_exploit_cve_2021_1675_printnightmare_print_driver_install.yml index 41d9d2aa5..6140dc68a 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/zeek_dce_rpc_exploit_cve_2021_1675_printnightmare_print_driver_install.yml @@ -1,4 +1,4 @@ -title: Possible PrintNightmare Print Driver Install +title: Possible PrintNightmare Print Driver Install - CVE-2021-1675 id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8 related: - id: 53389db6-ba46-48e3-a94c-e0f2cefe1583 @@ -14,15 +14,15 @@ references: - https://github.com/corelight/CVE-2021-1675 - https://old.zeek.org/zeekweek2019/slides/bzar.pdf - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ - author: '@neu5ron (Nate Guagenti)' date: 2021-08-23 -modified: 2022-07-07 +modified: 2025-11-03 tags: - attack.execution - cve.2021-1678 - cve.2021-1675 - cve.2021-34527 + - detection.emerging-threats logsource: product: zeek service: dce_rpc @@ -36,14 +36,6 @@ detection: - 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09 - 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27 condition: selection -fields: - - id.orig_h - - id.resp_h - - id.resp_p - - operation - - endpoint - - named_pipe - - uid falsepositives: - Legitimate remote alteration of a printer driver. level: medium diff --git a/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-38647/zeek_http_exploit_cve_2021_38647_omigod_no_auth_rce.yml similarity index 73% rename from rules/network/zeek/zeek_http_omigod_no_auth_rce.yml rename to rules-emerging-threats/2021/Exploits/CVE-2021-38647/zeek_http_exploit_cve_2021_38647_omigod_no_auth_rce.yml index 2d77cb85d..0503c1caa 100644 --- a/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-38647/zeek_http_exploit_cve_2021_38647_omigod_no_auth_rce.yml @@ -1,16 +1,16 @@ -title: OMIGOD HTTP No Authentication RCE +title: OMIGOD HTTP No Authentication RCE - CVE-2021-38647 id: ab6b1a39-a9ee-4ab4-b075-e83acf6e346b status: stable description: | - Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. - Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). - Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request. + Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. + Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). + Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request. references: - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure - https://twitter.com/neu5ron/status/1438987292971053057?s=20 author: Nate Guagenti (neu5ron) date: 2021-09-20 -modified: 2019-09-20 +modified: 2025-11-03 tags: - attack.privilege-escalation - attack.initial-access @@ -21,6 +21,8 @@ tags: - attack.t1203 - attack.t1021.006 - attack.t1210 + - detection.emerging-threats + - cve.2021-38647 logsource: product: zeek service: http @@ -41,16 +43,6 @@ detection: # - 1270 condition: selection and not auth_header and not too_small_http_client_body # condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule -fields: - - id.orig_h - - id.resp_h - - id.resp_p - - status_code - - method - - uri - - request_body_len - - response_body_len - - user_agent falsepositives: - Exploits that were attempted but unsuccessful. - Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips. diff --git a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-4034/lnx_auth_exploit_cve_2021_4034_pwnkit_lpe.yml similarity index 93% rename from rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml rename to rules-emerging-threats/2021/Exploits/CVE-2021-4034/lnx_auth_exploit_cve_2021_4034_pwnkit_lpe.yml index 87d37c33c..db1f5d2da 100644 --- a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-4034/lnx_auth_exploit_cve_2021_4034_pwnkit_lpe.yml @@ -11,6 +11,8 @@ tags: - attack.defense-evasion - attack.privilege-escalation - attack.t1548.001 + - detection.emerging-threats + - cve.2021-4034 logsource: product: linux service: auth diff --git a/rules/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_system_exploit_cve_2021_42287.yml similarity index 95% rename from rules/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml rename to rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_system_exploit_cve_2021_42287.yml index b66746f39..748236106 100644 --- a/rules/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_system_exploit_cve_2021_42287.yml @@ -16,6 +16,8 @@ modified: 2023-04-14 tags: - attack.credential-access - attack.t1558.003 + - detection.emerging-threats + - cve.2021-42287 logsource: product: windows service: system @@ -28,6 +30,4 @@ detection: condition: selection falsepositives: - Unknown -fields: - - samAccountName level: medium diff --git a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml b/rules-emerging-threats/2021/Malware/Netwire/registry_add_malware_netwire.yml similarity index 95% rename from rules/windows/registry/registry_add/registry_add_malware_netwire.yml rename to rules-emerging-threats/2021/Malware/Netwire/registry_add_malware_netwire.yml index 3c020f7b6..77917a6df 100644 --- a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml +++ b/rules-emerging-threats/2021/Malware/Netwire/registry_add_malware_netwire.yml @@ -10,17 +10,17 @@ references: - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ author: Christopher Peacock date: 2021-10-07 -modified: 2023-02-07 +modified: 2025-11-03 tags: - attack.persistence - attack.defense-evasion - attack.t1112 + - detection.emerging-threats logsource: product: windows category: registry_add detection: selection: - EventType: CreateKey # The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary TargetObject|contains: '\software\NetWire' condition: selection diff --git a/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-21919/win_system_exploit_cve_2022_21919_or_cve_2021_34484.yml similarity index 50% rename from rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml rename to rules-emerging-threats/2022/Exploits/CVE-2022-21919/win_system_exploit_cve_2022_21919_or_cve_2021_34484.yml index 04fbf91e3..1de53aa77 100644 --- a/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-21919/win_system_exploit_cve_2022_21919_or_cve_2021_34484.yml @@ -1,14 +1,20 @@ -title: Suspicious Usage of CVE_2021_34484 or CVE 2022_21919 +title: Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE id: 52a85084-6989-40c3-8f32-091e12e17692 status: test -description: During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server +description: | + Detects potential exploitation attempts of CVE-2022-21919 or CVE-2021-34484 leading to local privilege escalation via the User Profile Service. + During exploitation of this vulnerability, two logs (Provider_Name: Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 are created (EventID 1515 may generate many false positives). + Additionally, the directory \Users\TEMP may be created during exploitation. This behavior was observed on Windows Server 2008. references: - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html author: Cybex date: 2022-08-16 -modified: 2023-05-02 +modified: 2025-11-03 tags: - attack.execution + - detection.emerging-threats + - cve.2022-21919 + - cve.2021-34484 logsource: product: windows service: application diff --git a/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-26134/proc_creation_lnx_exploit_cve_2022_26134_atlassian_confluence.yml similarity index 97% rename from rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml rename to rules-emerging-threats/2022/Exploits/CVE-2022-26134/proc_creation_lnx_exploit_cve_2022_26134_atlassian_confluence.yml index cb7decc2b..10c5a6c3a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-26134/proc_creation_lnx_exploit_cve_2022_26134_atlassian_confluence.yml @@ -15,6 +15,7 @@ tags: - attack.t1190 - attack.t1059 - cve.2022-26134 + - detection.emerging-threats logsource: category: process_creation product: linux diff --git a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-29799/lnx_exploit_cve_2022_27999_cve_2022_27800.yml similarity index 66% rename from rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml rename to rules-emerging-threats/2022/Exploits/CVE-2022-29799/lnx_exploit_cve_2022_27999_cve_2022_27800.yml index 75e939f06..66b8855a2 100644 --- a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-29799/lnx_exploit_cve_2022_27999_cve_2022_27800.yml @@ -1,16 +1,20 @@ -title: Nimbuspwn Exploitation +title: Potential Nimbuspwn Exploit CVE-2022-29799 and CVE-2022-27800 id: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8 status: test -description: Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800) +description: | + Detects potential exploitation attempts of Nimbuspwn vulnerabilities CVE-2022-29799 and CVE-2022-27800 in Linux systems. references: - https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/ - https://github.com/Immersive-Labs-Sec/nimbuspwn author: Bhabesh Raj date: 2022-05-04 -modified: 2023-01-23 +modified: 2025-11-03 tags: - attack.privilege-escalation - attack.t1068 + - detection.emerging-threats + - cve.2022-29799 + - cve.2022-27800 logsource: product: linux detection: diff --git a/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-33891/proc_creation_lnx_exploit_cve_2022_33891_spark_shell_command_injection.yml similarity index 96% rename from rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml rename to rules-emerging-threats/2022/Exploits/CVE-2022-33891/proc_creation_lnx_exploit_cve_2022_33891_spark_shell_command_injection.yml index a92e6acfa..911bda796 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-33891/proc_creation_lnx_exploit_cve_2022_33891_spark_shell_command_injection.yml @@ -12,6 +12,7 @@ tags: - attack.initial-access - attack.t1190 - cve.2022-33891 + - detection.emerging-threats logsource: product: linux category: process_creation diff --git a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-37966/win_system_exploit_cve_2022_37966_kdcsvc_rc4_downgrade.yml similarity index 85% rename from rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml rename to rules-emerging-threats/2022/Exploits/CVE-2022-37966/win_system_exploit_cve_2022_37966_kdcsvc_rc4_downgrade.yml index fc2e5b5e5..2a5251b93 100644 --- a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-37966/win_system_exploit_cve_2022_37966_kdcsvc_rc4_downgrade.yml @@ -1,4 +1,4 @@ -title: KDC RC4-HMAC Downgrade CVE-2022-37966 +title: Potential KDC RC4-HMAC Downgrade Exploit - CVE-2022-37966 id: e6f81941-b1cd-4766-87db-9fc156f658ee status: test description: Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation @@ -6,9 +6,11 @@ references: - https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d author: Florian Roth (Nextron Systems) date: 2022-11-09 -modified: 2025-09-22 +modified: 2025-11-03 tags: - attack.privilege-escalation + - detection.emerging-threats + - cve.2022-37966 logsource: product: windows service: system diff --git a/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml b/rules/windows/builtin/dns_client/win_dns_client_mal_cobaltstrike.yml similarity index 100% rename from rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml rename to rules/windows/builtin/dns_client/win_dns_client_mal_cobaltstrike.yml index 5ea279d46..eb423f2be 100644 --- a/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_mal_cobaltstrike.yml @@ -11,8 +11,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-16 tags: - - attack.command-and-control - attack.t1071.004 + - attack.command-and-control logsource: product: windows service: dns-client