Merge branch 'SigmaHQ:master' into master

.github/ISSUE_TEMPLATE/false_positive_report.yml

@@ -1,6 +1,8 @@
 name: "False Positive Report"
 description: Report false positives with SIGMA rules
 labels: [False-Positive]
+assignees:
+  - nasbench
 body:
 - type: input
   attributes:

.github/ISSUE_TEMPLATE/rule_proposal.md

@@ -3,7 +3,8 @@ name: "Rule Proposal"
 about: Rule Idea Proposal
 title: ''
 labels: Rule
-assignees: ''
+assignees:
+  - nasbench
 
 ---
 

.github/latest_archiver_output.md

@@ -0,0 +1,130 @@
+# Reference Archiver Results
+
+Last Execution: 2023-11-03 14:11:09
+
+### Archiver Script Results
+
+
+#### Newly Archived References
+
+N/A
+
+#### Already Archived References
+
+- https://twitter.com/_JohnHammond/status/1708910264261980634
+- https://github.com/Pennyw0rth/NetExec/
+- https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html
+- https://linux.die.net/man/1/wget
+- https://github.com/1N3/Sn1per
+- https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
+- https://github.com/Tib3rius/AutoRecon
+- https://github.com/pr0xylife/DarkGate/tree/main
+- https://github.com/HavocFramework/Havoc
+- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
+- https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
+- https://ipfyx.fr/post/visual-studio-code-tunnel/
+- https://github.com/t3l3machus/hoaxshell
+- https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/
+- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md
+- https://twitter.com/fr0s7_/status/1712780207105404948
+- https://code.visualstudio.com/docs/remote/tunnels
+- https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
+- https://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection
+- https://badoption.eu/blog/2023/01/31/code_c2.html
+- https://github.com/t3l3machus/Villain
+- https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/
+- https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior
+- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts
+- https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
+- https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
+- https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
+- https://ss64.com/nt/regsvr32.html
+- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
+- https://github.com/Ne0nd0g/merlin
+- https://github.com/projectdiscovery/naabu
+- https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
+- https://dataconomy.com/2023/10/23/okta-data-breach/
+- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell
+- https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver
+- https://github.com/win3zz/CVE-2023-43261
+- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
+- https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82
+- https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware
+- https://github.security.telekom.com/2023/08/darkgate-loader.html
+- https://vulncheck.com/blog/real-world-cve-2023-43261
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
+- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
+- https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt
+
+#### Error While Archiving References
+
+- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
+- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
+- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
+- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
+- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
+- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
+- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
+- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
+- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
+- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
+- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
+- https://linux.die.net/man/8/useradd
+- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
+- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
+- https://paper.seebug.org/1495/
+- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
+- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
+- https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
+- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
+- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
+- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
+- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
+- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
+- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
+- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
+- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
+- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
+- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
+- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
+- https://linux.die.net/man/1/arecord
+- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
+- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
+- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
+- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
+- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
+- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
+- https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
+- https://www.cyberciti.biz/faq/linux-remove-user-command/
+- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
+- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
+- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
+- https://www.sans.org/cyber-security-summit/archives
+- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
+- https://www.group-ib.com/resources/threat-research/red-curl-2.html
+- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
+- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
+- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
+- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
+- https://news.ycombinator.com/item?id=29504755
+- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
+- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
+- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
+- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
+- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
+- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
+- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
+- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
+- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
+- https://megatools.megous.com/
+- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
+- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
+- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
+- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
+- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
+- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/

.github/workflows/ref-archiver.yml

@@ -25,9 +25,30 @@ jobs:
       run: |
         pip install PyYAML argparse requests
         python tests/reference-archiver.py
-    - name: Post Results
-      uses: JasonEtco/create-an-issue@v2
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Create Pull Request
+      uses: peter-evans/create-pull-request@v5
       with:
-        filename: .github/archiver_output.md
+        reviewers: nasbench, frack113, phantinuss
+        delete-branch: true
+        commit-message: 'chore: archive new rule references and update cache file'
+        title: 'Archive New Rule References'
+        body: |
+          ### Summary of the Pull Request
+
+          This PR update the cache file used to save already archived references with newly archived results
+
+          ### Changelog
+
+          chore: archive new rule references and update cache file
+
+          ### Example Log Event
+
+          N/A
+
+          ### Fixed Issues
+
+          N/A
+
+          ### SigmaHQ Rule Creation Conventions
+          
+          - If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)

.github/workflows/release.yml

@@ -26,7 +26,7 @@ jobs:
           git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' | sort | sed -e 's%^% - %' >> changes.txt
           if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' -c) -gt 0 ]]; then echo "### Fixed Rules" >> changes.txt; fi
           git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' | sort | sed -e 's%^% - %' >> changes.txt
-          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -oP 'Merge PR #\d+ from \K(@\S+)' | sort -u > authors_raw.txt
+          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP 'Merge PR #\d+ from \K(@\S+)' | sort -u > authors_raw.txt
           git log --pretty=%B ${prev_tag}..${curr_tag} | grep -oP "Co-authored-by: \K.*(?= <)" | sort -u | sed -e 's%^%@%' >> authors_raw.txt
           LC_ALL=en_US.UTF-8 sort -u authors_raw.txt | grep -v 'dependabot\[bot\]' > authors.txt
           cat changes.txt >> changelog.txt
@@ -42,11 +42,11 @@ jobs:
           cat changelog.txt
       - name: Build all release packages
         run: |
-          python3 tests/sigma-package-release.py --min-status test --min-level high --rule-types generic --outfile sigma_core_${{ github.ref_name }}.zip
-          python3 tests/sigma-package-release.py --min-status test --min-level medium --rule-types generic --outfile sigma_core+_${{ github.ref_name }}.zip
-          python3 tests/sigma-package-release.py --min-status experimental --min-level medium --rule-types generic --outfile sigma_core++_${{ github.ref_name }}.zip
-          python3 tests/sigma-package-release.py --min-status experimental --min-level medium --rule-types et --outfile sigma_emerging_threats_addon_${{ github.ref_name }}.zip
-          python3 tests/sigma-package-release.py --min-status experimental --min-level medium --rule-types generic et --outfile sigma_all_rules_${{ github.ref_name }}.zip
+          python3 tests/sigma-package-release.py --min-status test --min-level high --rule-types generic --outfile sigma_core.zip
+          python3 tests/sigma-package-release.py --min-status test --min-level medium --rule-types generic --outfile sigma_core+.zip
+          python3 tests/sigma-package-release.py --min-status experimental --min-level medium --rule-types generic --outfile sigma_core++.zip
+          python3 tests/sigma-package-release.py --min-status experimental --min-level medium --rule-types et --outfile sigma_emerging_threats_addon.zip
+          python3 tests/sigma-package-release.py --min-status experimental --min-level medium --rule-types generic et --outfile sigma_all_rules.zip
       - name: Create Release with Assets
         id: create_release
         uses: softprops/action-gh-release@v1
@@ -55,11 +55,11 @@ jobs:
           name: Release ${{ github.ref_name }}
           body_path: changelog.txt
           token: ${{ secrets.GITHUB_TOKEN }}
-          draft: false
+          draft: true
           prerelease: false
           files: |
-            sigma_core_${{ github.ref_name }}.zip
-            sigma_core+_${{ github.ref_name }}.zip
-            sigma_core++_${{ github.ref_name }}.zip
-            sigma_emerging_threats_addon_${{ github.ref_name }}.zip
-            sigma_all_rules_${{ github.ref_name }}.zip
+            sigma_core.zip
+            sigma_core+.zip
+            sigma_core++.zip
+            sigma_emerging_threats_addon.zip
+            sigma_all_rules.zip

.github/workflows/sigma-test.yml

@@ -76,7 +76,7 @@ jobs:
         pip install sigma-cli
     - name: Test Sigma Rule Syntax
       run: |
-        sigma check rules*
+        sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules*
     - name: Test Sigma Rules
       run: |
         pip install PyYAML attackcti colorama

README.md

@@ -104,6 +104,7 @@ If you find a false positive or would like to propose a new detection rule idea
 * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
 * [TimeSketch](https://github.com/google/timesketch/commit/0c6c4b65a6c0f2051d074e87bbb2da2424fa6c35)
 * [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing
+* [alterix](https://github.com/mtnmunuklu/alterix) - Converts Sigma rules to the query language of CRYPTTECH's SIEM
 
 ## 📜 Maintainers
 

rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml

@@ -1,6 +1,6 @@
 title: Rejetto HTTP File Server RCE
 id: a133193c-2daa-4a29-8022-018695fcf0ae
-status: experimental
+status: test
 description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
 references:
     - https://vk9-sec.com/hfs-code-execution-cve-2014-6287/

rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml

@@ -1,6 +1,6 @@
 title: CVE-2021-41773 Exploitation Attempt
 id: 3007fec6-e761-4319-91af-e32e20ac43f5
-status: experimental
+status: test
 description: |
   Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.
   An attacker could use a path traversal attack to map URLs to files outside the expected document root.

rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml

@@ -1,6 +1,6 @@
 title: Log4j RCE CVE-2021-44228 in Fields
 id: 9be472ed-893c-4ec0-94da-312d2765f654
-status: experimental
+status: test
 description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
 references:
     - https://www.lunasec.io/docs/blog/log4j-zero-day/

rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml

@@ -1,6 +1,6 @@
 title: Exchange ProxyShell Pattern
 id: 23eee45e-933b-49f9-ae1b-df706d2d52ef
-status: experimental
+status: test
 description: Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)
 references:
     - https://youtu.be/5mqid-7zp8k?t=2231

rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml

@@ -1,6 +1,6 @@
 title: Zimbra Collaboration Suite Email Server Unauthenticated RCE
 id: dd218fb6-4d02-42dc-85f0-a0a376072efd
-status: experimental
+status: test
 description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
 references:
     - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/

rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml

@@ -1,6 +1,6 @@
 title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
 id: fcf1101d-07c9-49b2-ad81-7e421ff96d80
-status: experimental
+status: test
 description: |
     Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656
     VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.

rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml

@@ -1,6 +1,6 @@
 title: CVE-2022-31659 VMware Workspace ONE Access RCE
 id: efdb2003-a922-48aa-8f37-8b80021a9706
-status: experimental
+status: test
 description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
 references:
     - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd

rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml

@@ -1,6 +1,6 @@
 title: Apache Spark Shell Command Injection - Weblogs
 id: 1a9a04fd-02d1-465c-abad-d733fd409f9c
-status: experimental
+status: test
 description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
 references:
     - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py

rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml

@@ -1,6 +1,6 @@
 title: Atlassian Bitbucket Command Injection Via Archive API
 id: 65c0a0ab-d675-4441-bd6b-d3db226a2685
-status: experimental
+status: test
 description: Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
 references:
     - https://twitter.com/_0xf4n9x_/status/1572052954538192901

rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2022-46169 Exploitation Attempt
 id: 738cb115-881f-4df3-82cc-56ab02fc5192
-status: experimental
+status: test
 description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
 references:
     - https://github.com/0xf4n9x/CVE-2022-46169

rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml

@@ -1,6 +1,6 @@
 title: Potential OWASSRF Exploitation Attempt - Webserver
 id: 181f49fa-0b21-4665-a98c-a57025ebb8c7
-status: experimental
+status: test
 description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
 references:
     - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml

@@ -1,6 +1,6 @@
 title: OWASSRF Exploitation Attempt Using Public POC - Webserver
 id: 92d78c63-5a5c-4c40-9b60-463810ffb082
-status: experimental
+status: test
 description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
 references:
     - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_cve_2023_43261_milesight_information_disclosure.yml

@@ -1,4 +1,4 @@
-title: Potential Information Discolosure CVE-2023-43261 Exploitation - Proxy
+title: Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
 id: f48f5368-355c-4a1b-8bf5-11c13d589eaa
 related:
     - id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7
@@ -13,6 +13,7 @@ references:
     - https://vulncheck.com/blog/real-world-cve-2023-43261
 author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
 date: 2023/10/20
+modified: 2023/10/30
 tags:
     - attack.initial_access
     - attack.t1190