Sigma Rules
212 rules found for "CVE"
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
Diamond Sleet APT DNS Communication Indicators
Detects DNS queries related to Diamond Sleet APT activity
Diamond Sleet APT File Creation Indicators
Detects file creation activity that is related to Diamond Sleet APT activity
Diamond Sleet APT DLL Sideloading Indicators
Detects DLL sideloading activity seen used by Diamond Sleet APT
Diamond Sleet APT Process Activity Indicators
Detects process creation activity indicators related to Diamond Sleet APT
Diamond Sleet APT Scheduled Task Creation - Registry
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
Diamond Sleet APT Scheduled Task Creation
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
Lace Tempest PowerShell Evidence Eraser
Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
Lace Tempest PowerShell Launcher
Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
Onyx Sleet APT File Creation Indicators
Detects file creation activity that is related to Onyx Sleet APT activity
CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
ScreenConnect User Database Modification
Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
ScreenConnect User Database Modification - Security
This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
Potential CVE-2024-35250 Exploitation Activity
Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250.
Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
Detects execution of the "net.exe" command in order to add a group named "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
CVE-2024-50623 Exploitation Attempt - Cleo
Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
DarkGate - Drop DarkGate Loader In C:\Temp Directory
Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
Forest Blizzard APT - File Creation Activity
Detects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT.
Forest Blizzard APT - JavaScript Constrained File Creation
Detects the creation of JavaScript files inside of the DriverStore directory. Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
Forest Blizzard APT - Process Creation Activity
Detects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT.
Forest Blizzard APT - Custom Protocol Handler Creation
Detects the setting of a custom protocol handler with the name "rogue". Seen being created by Forest Blizzard APT as reported by MSFT.
Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.
ScreenConnect - SlashAndGrab Exploitation Indicators
Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
Potential Exploitation of GoAnywhere MFT Vulnerability
Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035. This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.
Cisco ASA Exploitation Activity - Proxy
Detects suspicious requests to Cisco ASA WebVpn via proxy logs associated with CVE-2025-20333 and CVE-2025-20362 exploitation.
Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit
Detects creation of '.library-ms' files, which may indicate exploitation of CVE-2025-24054. This vulnerability allows an attacker to trigger an automatic outbound SMB or WebDAV authentication request to a remote server upon archive extraction. If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker.
Suspicious Process Spawned by CentreStack Portal AppPool
Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)
Suspicious CrushFTP Child Process
Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests. The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.
Potential SAP NetWeaver Webshell Creation - Linux
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
Potential SAP NetWeaver Webshell Creation
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
Suspicious Child Process of SAP NetWeaver - Linux
Detects suspicious child processes spawned by SAP NetWeaver on Linux systems that could indicate potential exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
Suspicious Child Process of SAP NetWeaver
Detects suspicious child processes spawned by SAP NetWeaver that could indicate potential exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
Potential SAP NetViewer Webshell Command Execution
Detects potential command execution via webshell in SAP NetViewer through JSP files with cmd parameter. This rule is created to detect exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution via a webshell.
Potential Java WebShell Upload in SAP NetViewer Server
Detects potential Java webshell uploads via HTTP requests with Content-Type 'application/octet-stream' and Java file extensions. This behavior might indicate exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution through webshells in SAP NetViewer.
Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
Detects the creation of nsswitch.conf files in non-standard directories, which may indicate exploitation of CVE-2025-32463. This vulnerability requires an attacker to create a nsswitch.conf in a directory that will be used during sudo chroot operations. When sudo executes, it loads malicious shared libraries from user-controlled locations within the chroot environment, potentially leading to arbitrary code execution and privilege escalation.
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe) accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers instead of legitimate system binaries. The vulnerability allows unauthorized code execution through external control of file names or paths via WebDAV.