18. 05. 2022 Massimo Giaimo Blue Team

Correlation between most exploited CVEs and detection rules

On May 12th, the CSIRT (Computer Security Incident Response Team – Italia) published a list of the CVEs most exploited by threat actors. The list also contains an indication of the TTPs used by these attackers. The objective of this article is to make available information relating to detection rules that are already available within the SIGMA Rules project, in order to identify in a timely manner attempts to exploit the vulnerabilities themselves. Our Security Operation Center Attacker-Centric team will periodically update this page when new detection rules are announced.

VendorProductCVE IDCVSSSeverityATT&CK TacticATT&CK TechniqueDetection Rule
ApacheLog4jCVE-2021-4422810.0CRITICALLateral Movement
Initial Access
Exploit Public-Facing Application
Exploitation of Remote Services
https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j_fields.yml
CiscoRV320/RV325 RouterCVE-2019-16537.5HIGHInitial AccessExploit Public-Facing Application
CitrixGatewayCVE-2019-197819.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml
CitrixApplication Delivery ControllerCVE-2019-197819.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml
EximExim Internet MailerCVE-2019-101499.8CRITICALInitial AccessExploit Public-Facing Application
F5Big-IPCVE-2020-59029.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2020_5902_f5_bigip.yml
FortinetFortiOSCVE-2018-133799.1CRITICALInitial AccessExploit Public-Facing Application
External Remote Services
https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml
FortinetFortiOSCVE-2018-133748.8HIGHInitial AccessExploit Public-Facing Application
AppleiOSCVE-2021-18796.1MEDIUMExecutionExploitation for Client Execution
ElasticKibanaCVE-2019-760910.0CRITICALInitial AccessExploit Public-Facing Application
LinuxKernelCVE-2016-07287.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftExchange ServerCVE-2020-06888.8HIGHInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_exchange_cve_2020_0688_exploit.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2020_0688_msexchange.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/application/win_vul_cve_2020_0688.yml
MicrosoftExchange ServerCVE-2020-171448.4HIGHInitial AccessExploit Public-Facing Application
MicrosoftExchange ServerCVE-2021-268559.8CRITICALInitial AccessExploit Public-Facing Application
MicrosoftExchange ServerCVE-2021-268577.8HIGHInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cve_2021_26857_msexchange.yml
MicrosoftExchange ServerCVE-2021-268587.8HIGHInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml
MicrosoftExchange ServerCVE-2021-270657.8HIGHInitial AccessExploit Public-Facing Application
MicrosoftOfficeCVE-2017-02627.8HIGHExecutionExploitation for Client Executionhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_0261.yml
MicrosoftOfficeCVE-2017-01997.8HIGHExecutionExploitation for Client Execution
MicrosoftOfficeCVE-2017-118827.8HIGHExecutionExploitation for Client Executionhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml
MicrosoftSQL ServerCVE-2021-16368.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2021-345278.8HIGHPrivilege EscalationBoot or Logon Autostart Execution
Exploitation of Remote Services
https://github.com/SigmaHQ/sigma/blob/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml
MicrosoftWindowsCVE-2020-079610.0CRITICALInitial AccessExploit Public-Facing Application
MicrosoftWindowsCVE-2017-01438.1HIGHLateral Movement
Initial Access
Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2017-01448.1HIGHLateral Movement
Initial Access
Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2017-01458.1HIGHLateral Movement
Initial Access
Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2017-01468.1HIGHLateral Movement
Initial Access
Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2017-01475.9MEDIUMLateral Movement
Initial Access
Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2017-01488.1HIGHLateral Movement
Initial Access
Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2015-2546N/AN/APrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2016-33097.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2017-01017.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2018-81207.0HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-05437.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-08417.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-10647.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-10697.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-11297.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-11307.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-12157.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-12537.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-13157.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-13227.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-13857.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-13887.8HIGHPrivilege EscalationExploitation for Privilege Escalationhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml
MicrosoftWindowsCVE-2019-14057.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-14587.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2020-06387.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2020-07877.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2021-16758.8HIGHPrivilege EscalationExploitation for Privilege Escalationhttps://github.com/SigmaHQ/sigma/blob/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_delete/file_delete_win_cve_2021_1675_printspooler_del.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_cve_2021_1675_printspooler.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml
MicrosoftWindowsCVE-2021-17327.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2017-02637.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-07089.8CRITICALLateral Movement
Initial Access
Exploit Public-Facing Application
Exploitation of Remote Services
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_rdp_bluekeep_poc_scanner.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_susp_rdp.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml
MicrosoftWindowsCVE-2021-404447.8HIGHExecutionExploitation for Client Executionhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml
MicrosoftWindows ServerCVE-2020-147210.0CRITICALCredential Access
Lateral Movement
Exploitation for Credential Access
Exploitation of Remote Services
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/system/win_vul_cve_2020_1472.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/system/win_possible_zerologon_exploitation_using_wellknown_tools.yml
MicrosoftWindows ServerCVE-2020-06099.8CRITICALInitial AccessExploit Public-Facing Application
OctoberOctober CMSCVE-2021-326489.1CRITICALInitial Access
Credential Access
Exploit Public-Facing Application
Exploitation for Credential Access
OracleWebLogicCVE-2020-148829.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml
OracleWebLogic ServerCVE-2019-27259.8CRITICALInitial AccessExploit Public-Facing Application
IvantiPulse Secure VPNCVE-2019-1151010.0CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_pulsesecure_cve_2019_11510.yml
SonicWallSonicOSCVE-2020-51359.8CRITICALInitial AccessExploit Public-Facing Application
VMwareWorkspace One AccessCVE-2020-40069.1CRITICALInitial AccessExploit Public-Facing Application
VMwareAccess ConnectorCVE-2020-40069.1CRITICALInitial AccessExploit Public-Facing Application
VMwareIdentity ManagerCVE-2020-40069.1CRITICALInitial AccessExploit Public-Facing Application
VMwareIdentity Manager ConnectorCVE-2020-40069.1CRITICALInitial AccessExploit Public-Facing Application
VMwarevCenterCVE-2021-219729.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml
VMwareESXiCVE-2021-219729.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml
VMwarevCenterCVE-2021-219859.8CRITICALInitial AccessExploit Public-Facing Application
VMwarevCenterCVE-2021-220059.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml
RARLABWinRARCVE-2018-202507.8HIGHExecutionExploitation for Client Execution
SynacorZimbraCVE-2019-96709.8CRITICALInitial AccessExploit Public-Facing Application
Massimo Giaimo

Massimo Giaimo

Team Leader Cyber Security at Würth Phoenix

Author

Massimo Giaimo

Team Leader Cyber Security at Würth Phoenix

Leave a Reply

Your email address will not be published.

Archive