18. 05. 2022 Massimo Giaimo Blue Team

Correlation Between the Most Exploited CVEs and Detection Rules

On May 12th, the CSIRT (Computer Security Incident Response Team – Italia) published a list of the CVEs most exploited by threat actors. The list also contains an indication of the TTPs used by these attackers. The objective of this article is to make information available relating to detection rules that are already available within the SIGMA Rules project, in order to identify in a timely manner attempts to exploit the vulnerabilities themselves. Our Security Operation Center Attacker-Centric team will periodically update this page when new detection rules are announced.

VendorProductCVE IDCVSSSeverityATT&CK TacticATT&CK TechniqueDetection Rule
ApacheLog4jCVE-2021-4422810.0CRITICALLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services		https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j_fields.yml
CiscoRV320/RV325 RouterCVE-2019-16537.5HIGHInitial AccessExploit Public-Facing Application
CitrixGatewayCVE-2019-197819.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml
CitrixApplication Delivery ControllerCVE-2019-197819.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml
EximExim Internet MailerCVE-2019-101499.8CRITICALInitial AccessExploit Public-Facing Application
F5Big-IPCVE-2020-59029.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2020_5902_f5_bigip.yml
FortinetFortiOSCVE-2018-133799.1CRITICALInitial AccessExploit Public-Facing Application
External Remote Services		https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml
FortinetFortiOSCVE-2018-133748.8HIGHInitial AccessExploit Public-Facing Application
AppleiOSCVE-2021-18796.1MEDIUMExecutionExploitation for Client Execution
ElasticKibanaCVE-2019-760910.0CRITICALInitial AccessExploit Public-Facing Application
LinuxKernelCVE-2016-07287.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftExchange ServerCVE-2020-06888.8HIGHInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_exchange_cve_2020_0688_exploit.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2020_0688_msexchange.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/application/win_vul_cve_2020_0688.yml
MicrosoftExchange ServerCVE-2020-171448.4HIGHInitial AccessExploit Public-Facing Application
MicrosoftExchange ServerCVE-2021-268559.8CRITICALInitial AccessExploit Public-Facing Application
MicrosoftExchange ServerCVE-2021-268577.8HIGHInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cve_2021_26857_msexchange.yml
MicrosoftExchange ServerCVE-2021-268587.8HIGHInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml
MicrosoftExchange ServerCVE-2021-270657.8HIGHInitial AccessExploit Public-Facing Application
MicrosoftOfficeCVE-2017-02627.8HIGHExecutionExploitation for Client Executionhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_0261.yml
MicrosoftOfficeCVE-2017-01997.8HIGHExecutionExploitation for Client Execution
MicrosoftOfficeCVE-2017-118827.8HIGHExecutionExploitation for Client Executionhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml
MicrosoftSQL ServerCVE-2021-16368.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2021-345278.8HIGHPrivilege EscalationBoot or Logon Autostart Execution
Exploitation of Remote Services		https://github.com/SigmaHQ/sigma/blob/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml
MicrosoftWindowsCVE-2020-079610.0CRITICALInitial AccessExploit Public-Facing Application
MicrosoftWindowsCVE-2017-01438.1HIGHLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2017-01448.1HIGHLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2017-01458.1HIGHLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2017-01468.1HIGHLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2017-01475.9MEDIUMLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2017-01488.1HIGHLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2015-2546N/AN/APrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2016-33097.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2017-01017.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2018-81207.0HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-05437.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-08417.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-10647.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-10697.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-11297.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-11307.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-12157.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-12537.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-13157.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-13227.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-13857.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-13887.8HIGHPrivilege EscalationExploitation for Privilege Escalationhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml
MicrosoftWindowsCVE-2019-14057.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-14587.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2020-06387.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2020-07877.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2021-16758.8HIGHPrivilege EscalationExploitation for Privilege Escalationhttps://github.com/SigmaHQ/sigma/blob/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_delete/file_delete_win_cve_2021_1675_printspooler_del.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_cve_2021_1675_printspooler.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml
MicrosoftWindowsCVE-2021-17327.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2017-02637.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-07089.8CRITICALLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services		https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_rdp_bluekeep_poc_scanner.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_susp_rdp.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml
MicrosoftWindowsCVE-2021-404447.8HIGHExecutionExploitation for Client Executionhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml
MicrosoftWindows ServerCVE-2020-147210.0CRITICALCredential Access
Lateral Movement		Exploitation for Credential Access
Exploitation of Remote Services		https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/system/win_vul_cve_2020_1472.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/system/win_possible_zerologon_exploitation_using_wellknown_tools.yml
MicrosoftWindows ServerCVE-2020-06099.8CRITICALInitial AccessExploit Public-Facing Application
OctoberOctober CMSCVE-2021-326489.1CRITICALInitial Access
Credential Access		Exploit Public-Facing Application
Exploitation for Credential Access
OracleWebLogicCVE-2020-148829.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml
OracleWebLogic ServerCVE-2019-27259.8CRITICALInitial AccessExploit Public-Facing Application
IvantiPulse Secure VPNCVE-2019-1151010.0CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_pulsesecure_cve_2019_11510.yml
SonicWallSonicOSCVE-2020-51359.8CRITICALInitial AccessExploit Public-Facing Application
VMwareWorkspace One AccessCVE-2020-40069.1CRITICALInitial AccessExploit Public-Facing Application
VMwareAccess ConnectorCVE-2020-40069.1CRITICALInitial AccessExploit Public-Facing Application
VMwareIdentity ManagerCVE-2020-40069.1CRITICALInitial AccessExploit Public-Facing Application
VMwareIdentity Manager ConnectorCVE-2020-40069.1CRITICALInitial AccessExploit Public-Facing Application
VMwarevCenterCVE-2021-219729.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml
VMwareESXiCVE-2021-219729.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml
VMwarevCenterCVE-2021-219859.8CRITICALInitial AccessExploit Public-Facing Application
VMwarevCenterCVE-2021-220059.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml
RARLABWinRARCVE-2018-202507.8HIGHExecutionExploitation for Client Execution
SynacorZimbraCVE-2019-96709.8CRITICALInitial AccessExploit Public-Facing Application
Massimo Giaimo

Massimo Giaimo

Team Leader Cyber Security at Würth Phoenix

Author

Massimo Giaimo

Team Leader Cyber Security at Würth Phoenix

Latest posts by Massimo Giaimo

21. 03. 2024 SOCnews
SOC News | Mar 21 – IABs and Bulk Sales
20. 02. 2024 SOCnews
SOC News | Feb 20 – Lockbit Infrastructure Seizure
09. 02. 2024 SOCnews
SOC News | Feb 07 – FortiOS Critical Vulnerabilities
03. 02. 2024 SOCnews
SOC News | Feb 04 – AnyDesk Compromise
25. 01. 2024 SOCnews
SOC News | Jan 01 – Kasseika Ransomware Uses BYOVD in His TTP
See All

Related Content

Tags: , ,

28. 03. 2024 SOCnews

SOC News | Mar 28 – New Vulnerabilities Added to the KEV Catalog

On March 25, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The catalog is updated regularly and contains those vulnerabilities most likely to be used in attacks. Organizations should monitor Read More
11. 03. 2024 SOCnews

SOC News | Mar 11 – JetBrains TeamCity Authentication Bypass Vulnerabilities

On March 4, 2024, JetBrains released TeamCity version 2023.11.4, which patches two authentication bypass vulnerabilities in the web component of TeamCity. These vulnerabilities were discovered in February by Rapid7’s vulnerability research team and allow a remote unauthenticated attacker to perform Read More
09. 02. 2024 SOCnews

SOC News | Feb 07 – FortiOS Critical Vulnerabilities

On February 8, 2024, Fortinet disclosed 2 critical vulnerabilities which could allow remote code or command execution. The vulnerabilities are as follows: FortiOS - Format String Bug in fgfmd, with CVSS severity 9.8 The versions prone to this vulnerability are: Read More
14. 06. 2022 Red Team, SEC4U

How People Reacted to Follina, the New 0-day

Zero-day vulnerabilities pose a serious threat in the field of cybersecurity. These flaws are usually discovered and exploited by criminals before security researchers even know of their existence. Because of this, we call them 0-day. It indicates the amount of Read More
09. 11. 2020 Log-SIEM, NetEye

CVE – Common Vulnerabilities and Exposures in NetEye

The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information security vulnerabilities and exposures. The National Cybersecurity FFRDC, operated by the MITRE Corporation, maintains the system with funding from the National Cyber Security Division of Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive