18. 05. 2022 Massimo Giaimo Blue Team

Correlation Between the Most Exploited CVEs and Detection Rules

On May 12th, the CSIRT (Computer Security Incident Response Team – Italia) published a list of the CVEs most exploited by threat actors. The list also contains an indication of the TTPs used by these attackers. The objective of this article is to make information available relating to detection rules that are already available within the SIGMA Rules project, in order to identify in a timely manner attempts to exploit the vulnerabilities themselves. Our Security Operation Center Attacker-Centric team will periodically update this page when new detection rules are announced.

VendorProductCVE IDCVSSSeverityATT&CK TacticATT&CK TechniqueDetection Rule
ApacheLog4jCVE-2021-4422810.0CRITICALLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services		https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j_fields.yml
CiscoRV320/RV325 RouterCVE-2019-16537.5HIGHInitial AccessExploit Public-Facing Application
CitrixGatewayCVE-2019-197819.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml
CitrixApplication Delivery ControllerCVE-2019-197819.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml
EximExim Internet MailerCVE-2019-101499.8CRITICALInitial AccessExploit Public-Facing Application
F5Big-IPCVE-2020-59029.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2020_5902_f5_bigip.yml
FortinetFortiOSCVE-2018-133799.1CRITICALInitial AccessExploit Public-Facing Application
External Remote Services		https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml
FortinetFortiOSCVE-2018-133748.8HIGHInitial AccessExploit Public-Facing Application
AppleiOSCVE-2021-18796.1MEDIUMExecutionExploitation for Client Execution
ElasticKibanaCVE-2019-760910.0CRITICALInitial AccessExploit Public-Facing Application
LinuxKernelCVE-2016-07287.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftExchange ServerCVE-2020-06888.8HIGHInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_exchange_cve_2020_0688_exploit.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2020_0688_msexchange.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/application/win_vul_cve_2020_0688.yml
MicrosoftExchange ServerCVE-2020-171448.4HIGHInitial AccessExploit Public-Facing Application
MicrosoftExchange ServerCVE-2021-268559.8CRITICALInitial AccessExploit Public-Facing Application
MicrosoftExchange ServerCVE-2021-268577.8HIGHInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cve_2021_26857_msexchange.yml
MicrosoftExchange ServerCVE-2021-268587.8HIGHInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml
MicrosoftExchange ServerCVE-2021-270657.8HIGHInitial AccessExploit Public-Facing Application
MicrosoftOfficeCVE-2017-02627.8HIGHExecutionExploitation for Client Executionhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_0261.yml
MicrosoftOfficeCVE-2017-01997.8HIGHExecutionExploitation for Client Execution
MicrosoftOfficeCVE-2017-118827.8HIGHExecutionExploitation for Client Executionhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml
MicrosoftSQL ServerCVE-2021-16368.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2021-345278.8HIGHPrivilege EscalationBoot or Logon Autostart Execution
Exploitation of Remote Services		https://github.com/SigmaHQ/sigma/blob/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml
MicrosoftWindowsCVE-2020-079610.0CRITICALInitial AccessExploit Public-Facing Application
MicrosoftWindowsCVE-2017-01438.1HIGHLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2017-01448.1HIGHLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2017-01458.1HIGHLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2017-01468.1HIGHLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2017-01475.9MEDIUMLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2017-01488.1HIGHLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services
MicrosoftWindowsCVE-2015-2546N/AN/APrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2016-33097.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2017-01017.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2018-81207.0HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-05437.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-08417.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-10647.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-10697.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-11297.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-11307.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-12157.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-12537.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-13157.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-13227.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-13857.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-13887.8HIGHPrivilege EscalationExploitation for Privilege Escalationhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml
MicrosoftWindowsCVE-2019-14057.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-14587.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2020-06387.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2020-07877.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2021-16758.8HIGHPrivilege EscalationExploitation for Privilege Escalationhttps://github.com/SigmaHQ/sigma/blob/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_delete/file_delete_win_cve_2021_1675_printspooler_del.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_cve_2021_1675_printspooler.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml
MicrosoftWindowsCVE-2021-17327.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2017-02637.8HIGHPrivilege EscalationExploitation for Privilege Escalation
MicrosoftWindowsCVE-2019-07089.8CRITICALLateral Movement
Initial Access		Exploit Public-Facing Application
Exploitation of Remote Services		https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_rdp_bluekeep_poc_scanner.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_susp_rdp.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml
MicrosoftWindowsCVE-2021-404447.8HIGHExecutionExploitation for Client Executionhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml
MicrosoftWindows ServerCVE-2020-147210.0CRITICALCredential Access
Lateral Movement		Exploitation for Credential Access
Exploitation of Remote Services		https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/system/win_vul_cve_2020_1472.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/system/win_possible_zerologon_exploitation_using_wellknown_tools.yml
MicrosoftWindows ServerCVE-2020-06099.8CRITICALInitial AccessExploit Public-Facing Application
OctoberOctober CMSCVE-2021-326489.1CRITICALInitial Access
Credential Access		Exploit Public-Facing Application
Exploitation for Credential Access
OracleWebLogicCVE-2020-148829.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml
OracleWebLogic ServerCVE-2019-27259.8CRITICALInitial AccessExploit Public-Facing Application
IvantiPulse Secure VPNCVE-2019-1151010.0CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_pulsesecure_cve_2019_11510.yml
SonicWallSonicOSCVE-2020-51359.8CRITICALInitial AccessExploit Public-Facing Application
VMwareWorkspace One AccessCVE-2020-40069.1CRITICALInitial AccessExploit Public-Facing Application
VMwareAccess ConnectorCVE-2020-40069.1CRITICALInitial AccessExploit Public-Facing Application
VMwareIdentity ManagerCVE-2020-40069.1CRITICALInitial AccessExploit Public-Facing Application
VMwareIdentity Manager ConnectorCVE-2020-40069.1CRITICALInitial AccessExploit Public-Facing Application
VMwarevCenterCVE-2021-219729.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml
VMwareESXiCVE-2021-219729.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml
VMwarevCenterCVE-2021-219859.8CRITICALInitial AccessExploit Public-Facing Application
VMwarevCenterCVE-2021-220059.8CRITICALInitial AccessExploit Public-Facing Applicationhttps://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml
RARLABWinRARCVE-2018-202507.8HIGHExecutionExploitation for Client Execution
SynacorZimbraCVE-2019-96709.8CRITICALInitial AccessExploit Public-Facing Application
Massimo Giaimo

Massimo Giaimo

Team Leader Cyber Security at Würth Phoenix and Threat Intelligence Team Leader at Würth Group

Author

Massimo Giaimo

Team Leader Cyber Security at Würth Phoenix and Threat Intelligence Team Leader at Würth Group

Latest posts by Massimo Giaimo

01. 11. 2024 Threat Intelligence
Our Contribution to Mitre Att@ck
10. 09. 2024 Blue Team, SEC4U, SOCnews
SOC News | September 10 – New RaaS Group BloodForge
21. 03. 2024 SOCnews
SOC News | Mar 21 – IABs and Bulk Sales
20. 02. 2024 SOCnews
SOC News | Feb 20 – Lockbit Infrastructure Seizure
09. 02. 2024 SOCnews
SOC News | Feb 07 – FortiOS Critical Vulnerabilities
See All

Related Content

Tags: , ,

08. 11. 2024 Blue Team, SEC4U, Threat Intelligence

SATAYO And SOC: Exchanging Data For Better Insight

In this post, will be explored the synergy between a Cyber Threat Intelligence (CTI) platform and a traditional Security Operations Center (SOC) service. For those interested in the topic, I recommend reading my previous article, where I demonstrated a concrete Read More
30. 08. 2024 Blue Team, SEC4U

A Concrete Example of ES|QL and SOC Detection Rules

The purpose of this article is to show a real-life case study of the integration of the new Elastic ES|QL language within the detection rules used by the SOC to detect cyber threats. Overview ES|QL (Elasticsearch Query Language) is an Read More
07. 06. 2024 Blue Team, SEC4U

Akira Ransomware: How to Make an Efficient Detection Rule

In this article, we're going to explore an example of the process used to perform the initial steps of creating ad hoc detection rules based on specific events that mark the world of cyber security. Specifically, starting from a real Read More
24. 05. 2024 SOCnews

SOC News | May 24 – Patch This Veeam Critical Vulnerability Now

On May 21, Veeam published details about four different vulnerabilities detected in their product Veeam Backup Enterprise Manager (VBEM). One of them is critical and allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface Read More
26. 04. 2024 SOCnews

SOC News | Apr 26 – ArcaneDoor: A New Espionage Campaign

Cisco Talos identified a previously unknown state-sponsored actor behind ArcaneDoor, a sophisticated cyber espionage campaign targeting the perimeter network devices of several vendors. This actor is now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. The Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive