Sigma Rules
212 rules found for "CVE"
CVE-2010-5278 Exploitation Attempt
MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.
Rejetto HTTP File Server RCE
Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
Exploit for CVE-2015-1641
Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
Exploit for CVE-2017-0261
Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
Droppers Exploiting CVE-2017-11882
Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
Exploit for CVE-2017-8759
Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
Fortinet CVE-2018-13379 Exploitation
Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
SSHD Error Message CVE-2018-15473
Detects exploitation attempt using public exploit code for CVE-2018-15473
Oracle WebLogic Exploit
Detects access to a webshell dropped into a keystore folder on the WebLogic server
Scanner PoC for CVE-2019-0708 RDP RCE Vuln
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
Potential RDP Exploit CVE-2019-0708
Detect suspicious error on protocol RDP, potential CVE-2019-0708
Pulse Secure Attack CVE-2019-11510
Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole
Exploiting SetupComplete.cmd CVE-2019-1378
Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
Exploiting CVE-2019-1388
Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
Sudo Privilege Escalation CVE-2019-14287 - Builtin
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
Sudo Privilege Escalation CVE-2019-14287
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
Citrix Netscaler Attack CVE-2019-19781
Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
Confluence Exploitation CVE-2019-3398
Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398
CVE-2020-0688 Exploitation Attempt
Detects CVE-2020-0688 Exploitation attempts
CVE-2020-0688 Exchange Exploitation via Web Log
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
CVE-2020-0688 Exploitation via Eventlog
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
CVE-2020-10148 SolarWinds Orion API Auth Bypass
Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts
Exploited CVE-2020-10189 Zoho ManageEngine
Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
Suspicious PrinterPorts Creation (CVE-2020-1048)
Detects new commands that add new printer port which point to suspicious file
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
DNS RCE CVE-2020-1350
Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
Detects the execution of the commonly used ZeroLogon PoC executable.
Oracle WebLogic Exploit CVE-2020-14882
Detects exploitation attempts on WebLogic servers
TerraMaster TOS CVE-2020-28188
Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188
Cisco ASA FTD Exploit CVE-2020-3452
Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
CVE-2020-5902 F5 BIG-IP Exploitation Attempt
Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
Potential PrintNightmare Exploitation Attempt
Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
CVE-2021-1675 Print Spooler Exploitation Filename Pattern
Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
Windows Spooler Service Suspicious Binary Load
Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare).
PrinterNightmare Mimikatz Driver Name
Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
Possible CVE-2021-1675 Print Spooler Exploitation
Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
CVE-2021-1675 Print Spooler Exploitation
Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
CVE-2021-1675 Print Spooler Exploitation IPC Access
Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527
Possible PrintNightmare Print Driver Install - CVE-2021-1675
Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
Arcadyan Router Exploitations
Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
Oracle WebLogic Exploit CVE-2021-2109
Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
CVE-2021-21972 VSphere Exploitation
Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
CVE-2021-21978 Exploitation Attempt
Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978
VMware vCenter Server File Upload CVE-2021-22005
Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.
Fortinet CVE-2021-22123 Exploitation
Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs
Pulse Connect Secure RCE Attack CVE-2021-22893
This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)