Techniques
Sample rules
Suspicious Usage of CVE_2021_34484 or CVE 2022_21919
- source: sigma
- technicques:
Description
During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server
Detection logic
condition: selection
selection:
EventID: 1511
Provider_Name: Microsoft-Windows-User Profiles Service