-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathInstallerFileTakeOver_LPE_CVE-2021-41379_File_Create.xml
42 lines (42 loc) · 5.88 KB
/
InstallerFileTakeOver_LPE_CVE-2021-41379_File_Create.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<content>
<qradarversion>2020.7.3.20210323172312</qradarversion>
<custom_rule>
<origin>USER</origin>
<flags>0</flags>
<mod_date>2021-12-10T12:42:06.106-03:00</mod_date>
<rule_data>PHJ1bGUgb3ZlcnJpZGVpZD0iMTMwOTQ1IiBvd25lcj0iamFpcm8ub2xpdmVpcmEiIHNjb3BlPSJMT0NBTCIgdHlwZT0iRVZFTlQiIHJvbGVEZWZpbml0aW9uPSJmYWxzZSIgYnVpbGRpbmdCbG9jaz0iZmFsc2UiIGVuYWJsZWQ9ImZhbHNlIiBpZD0iMTMwOTQ1Ij48bmFtZT5JbnN0YWxsZXJGaWxlVGFrZU92ZXIgTFBFIENWRS0yMDIxLTQxMzc5IEZpbGUgQ3JlYXRlIEV2ZW50PC9uYW1lPjxub3Rlcz5SZWdyYSBxdWUgZGV0ZWN0YSBvIENWRSBJbnN0YWxsZXJGaWxlVGFrZU92ZXIgTFBFIENWRS0yMDIxLTQxMzc5IEZpbGUgQ3JlYXRlIEV2ZW50LiYjeGE7JiN4YTtWdWxuZXJhYmlsaWRhZGUgbm8gV2luZG93cyBJbnN0YWxsZXIgcXVlIHBlcm1pdGUgcXVlIHVtIGludmFzb3IgbG9jYWwgb2J0ZW5oYSBwcml2aWzDqWdpb3MgYWRtaW5pc3RyYXRpdm9zLjwvbm90ZXM+PHRlc3REZWZpbml0aW9ucz48dGVzdCByZXF1aXJlZENhcGFiaWxpdGllcz0iRXZlbnRWaWV3ZXIuUlVMRUNSRUFUSU9OfFNVUlZFSUxMQU5DRS5SVUxFQ1JFQVRJT04iIGdyb3VwSWQ9IjEiIGdyb3VwPSJqc3AucXJhZGFyLnJ1bGV3aXphcmQuY29uZGl0aW9uLnBhZ2UuZ3JvdXAuY29tbW9uIiB1aWQ9IjAiIG5hbWU9ImNvbS5xMWxhYnMuc2Vtc291cmNlcy5jcmUudGVzdHMuQVFMX1Rlc3QiIGlkPSIzMjAiPjx0ZXh0PndoZW4gdGhlIGV2ZW50IG1hdGNoZXMgJmx0O2EgaHJlZj0namF2YXNjcmlwdDplZGl0UGFyYW1ldGVyKCIwIiwgIjEiKScgY2xhc3M9J2R5bmFtaWMnJmd0OyhFdmVudElEPScxMScgYW5kIExPR1NPVVJDRVRZUEVOQU1FKGRldmljZXR5cGUpIGlsaWtlICclTWljcm9zb2Z0IFdpbmRvd3MgU2VjdXJpdHkgRXZlbnQgTG9nJScgYW5kIEltYWdlIGlsaWtlICclXG1zaWV4ZWMuZXhlJyBhbmQgRmlsZW5hbWUgaWxpa2UgJ0M6XFByb2dyYW0gRmlsZXMgKHg4NilcTWljcm9zb2Z0XEVkZ2VcQXBwbGljYXRpb24lJyBhbmQgRmlsZW5hbWUgaWxpa2UgJyVcZWxldmF0aW9uX3NlcnZpY2UuZXhlJykmbHQ7L2EmZ3Q7IEFRTCBmaWx0ZXIgcXVlcnk8L3RleHQ+PHBhcmFtZXRlciBpZD0iMSI+PGluaXRpYWxUZXh0PnRoaXM8L2luaXRpYWxUZXh0PjxzZWxlY3Rpb25MYWJlbD5FbnRlciBhbiBBUUwgZmlsdGVyIHF1ZXJ5PC9zZWxlY3Rpb25MYWJlbD48dXNlck9wdGlvbnMgc291cmNlPSJ1c2VyIiBmb3JtYXQ9IkN1c3RvbWl6ZVBhcmFtZXRlci1BUUwuanNwIi8+PHVzZXJTZWxlY3Rpb24+KEV2ZW50SUQlM0QnMTEnJTIwYW5kJTIwTE9HU09VUkNFVFlQRU5BTUUoZGV2aWNldHlwZSklMjBpbGlrZSUyMCclMjVNaWNyb3NvZnQlMjBXaW5kb3dzJTIwU2VjdXJpdHklMjBFdmVudCUyMExvZyUyNSclMjBhbmQlMjBJbWFnZSUyMGlsaWtlJTIwJyUyNSU1Q21zaWV4ZWMuZXhlJyUyMGFuZCUyMEZpbGVuYW1lJTIwaWxpa2UlMjAnQyUzQSU1Q1Byb2dyYW0lMjBGaWxlcyUyMCh4ODYpJTVDTWljcm9zb2Z0JTVDRWRnZSU1Q0FwcGxpY2F0aW9uJTI1JyUyMGFuZCUyMEZpbGVuYW1lJTIwaWxpa2UlMjAnJTI1JTVDZWxldmF0aW9uX3NlcnZpY2UuZXhlJyl8JTVCJTIyKEV2ZW50SUQlM0QnMTEnJTIwYW5kJTIwTE9HU09VUkNFVFlQRU5BTUUoZGV2aWNldHlwZSklMjBpbGlrZSUyMCclMjVNaWNyb3NvZnQlMjBXaW5kb3dzJTIwU2VjdXJpdHklMjBFdmVudCUyMExvZyUyNSclMjBhbmQlMjBJbWFnZSUyMGlsaWtlJTIwJyUyNSU1QyU1Q21zaWV4ZWMuZXhlJyUyMGFuZCUyMEZpbGVuYW1lJTIwaWxpa2UlMjAnQyUzQSU1QyU1Q1Byb2dyYW0lMjBGaWxlcyUyMCh4ODYpJTVDJTVDTWljcm9zb2Z0JTVDJTVDRWRnZSU1QyU1Q0FwcGxpY2F0aW9uJTI1JyUyMGFuZCUyMEZpbGVuYW1lJTIwaWxpa2UlMjAnJTI1JTVDJTVDZWxldmF0aW9uX3NlcnZpY2UuZXhlJyklMjIlNUQ8L3VzZXJTZWxlY3Rpb24+PHVzZXJTZWxlY3Rpb25UeXBlcz5wcm9wZXJ0eTwvdXNlclNlbGVjdGlvblR5cGVzPjx1c2VyU2VsZWN0aW9uSWQ+MDwvdXNlclNlbGVjdGlvbklkPjwvcGFyYW1ldGVyPjxwYXJhbWV0ZXIgaWQ9IjIiPjxpbml0aWFsVGV4dD48L2luaXRpYWxUZXh0PjxzZWxlY3Rpb25MYWJlbD5TZWxlY3QgYSB2YWx1ZTwvc2VsZWN0aW9uTGFiZWw+PHVzZXJTZWxlY3Rpb24+ZXZlbnRzPC91c2VyU2VsZWN0aW9uPjx1c2VyU2VsZWN0aW9uSWQ+MDwvdXNlclNlbGVjdGlvbklkPjwvcGFyYW1ldGVyPjwvdGVzdD48L3Rlc3REZWZpbml0aW9ucz48YWN0aW9ucz48YWx0ZXJNZXRyaWMgdmFsdWU9IjkiIG9wZXJhdGlvbj0ic2V0U2V2ZXJpdHkiIG1ldHJpYz0ic2V0U2V2ZXJpdHkiLz48YWx0ZXJNZXRyaWMgdmFsdWU9IjgiIG9wZXJhdGlvbj0ic2V0Q3JlZGliaWxpdHkiIG1ldHJpYz0ic2V0Q3JlZGliaWxpdHkiLz48YWx0ZXJNZXRyaWMgdmFsdWU9IjkiIG9wZXJhdGlvbj0ic2V0UmVsZXZhbmNlIiBtZXRyaWM9InNldFJlbGV2YW5jZSIvPjxldmVudEFubm90YXRpb24+PGZvcm1hdFN0cmluZz5BY2lvbmFyIG8gY2xpZW50ZSBpbWVkaWF0YW1lbnRlLjwvZm9ybWF0U3RyaW5nPjwvZXZlbnRBbm5vdGF0aW9uPjwvYWN0aW9ucz48cmVzcG9uc2VzIHJlZmVyZW5jZVRhYmxlUmVtb3ZlPSJmYWxzZSIgcmVmZXJlbmNlTWFwT2ZNYXBzUmVtb3ZlPSJmYWxzZSIgcmVmZXJlbmNlTWFwT2ZTZXRzUmVtb3ZlPSJmYWxzZSIgcmVmZXJlbmNlTWFwUmVtb3ZlPSJmYWxzZSIgcmVmZXJlbmNlVGFibGU9ImZhbHNlIiByZWZlcmVuY2VNYXBPZk1hcHM9ImZhbHNlIiByZWZlcmVuY2VNYXBPZlNldHM9ImZhbHNlIiByZWZlcmVuY2VNYXA9ImZhbHNlIj48bmV3ZXZlbnQgbG93TGV2ZWxDYXRlZ29yeT0iMTMwMDciIG9mZmVuc2VNYXBwaW5nPSIwIiBmb3JjZU9mZmVuc2VDcmVhdGlvbj0idHJ1ZSIgcWlkPSI2NzUwMDk3NSIgY29udHJpYnV0ZU9mZmVuc2VOYW1lPSJ0cnVlIiBvdmVycmlkZU9mZmVuc2VOYW1lPSJmYWxzZSIgZGVzY3JpYmVPZmZlbnNlPSJ0cnVlIiByZWxldmFuY2U9IjgiIGNyZWRpYmlsaXR5PSI4IiBzZXZlcml0eT0iOSIgZGVzY3JpcHRpb249IlJlZ3JhIHF1ZSBkZXRlY3RhIG8gQ1ZFIEluc3RhbGxlckZpbGVUYWtlT3ZlciBMUEUgQ1ZFLTIwMjEtNDEzNzkgRmlsZSBDcmVhdGUgRXZlbnQuJiN4YTsmI3hhO1Z1bG5lcmFiaWxpZGFkZSBubyBXaW5kb3dzIEluc3RhbGxlciBxdWUgcGVybWl0ZSBxdWUgdW0gaW52YXNvciBsb2NhbCBvYnRlbmhhIHByaXZpbMOpZ2lvcyBhZG1pbmlzdHJhdGl2b3MuIiBuYW1lPSJJbnN0YWxsZXJGaWxlVGFrZU92ZXIgTFBFIENWRS0yMDIxLTQxMzc5IEZpbGUgQ3JlYXRlIEV2ZW50Ii8+PC9yZXNwb25zZXM+PC9ydWxlPg==</rule_data>
<uuid>177512f1-6691-4c1b-8bc2-9f5630611ff2</uuid>
<rule_type>0</rule_type>
<id>130945</id>
<create_date>2021-11-24T13:53:13.815-03:00</create_date>
</custom_rule>
<offense_type>
<database>common</database>
<legacy>true</legacy>
<nva_name>by-attacker</nva_name>
<composite>false</composite>
<custom>false</custom>
<name>BY_ATTACKER</name>
<limiter_string>ATTACKER</limiter_string>
<default_label>Source IP</default_label>
<id>0</id>
<property_name>sourceIP</property_name>
</offense_type>
<qidmap>
<severity>9</severity>
<lowlevelcategory>13007</lowlevelcategory>
<reverseip>false</reverseip>
<qid>67500975</qid>
<ratethreshold>0</ratethreshold>
<rateinterval>0</rateinterval>
<qdescription>Regra que detecta o CVE InstallerFileTakeOver LPE CVE-2021-41379 File Create Event.

Vulnerabilidade no Windows Installer que permite que um invasor local obtenha privilégios administrativos.</qdescription>
<catpipename>Alpha</catpipename>
<ratelongwindow>0</ratelongwindow>
<qname>InstallerFileTakeOver LPE CVE-2021-41379 File Create Event</qname>
<rateshortwindow>0</rateshortwindow>
<id>2398414</id>
</qidmap>
</content>