Find CVEs tagged in Splunk Security Content (splunk/security_content) and Check Against CISA's List

find-cve-in-security-content.py

from operator import truediv
import yaml, requests, json
from pathlib import Path
from argparse import ArgumentParser
import re

cisaUrl = 'https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json'
knownBadCVEs = []
parser = ArgumentParser()

parser.add_argument(
    "-i",
    "--cve-ids",
    default=None,
    nargs="+",
    help="Seek these CVE IDs in the ESCU repo.",
)

parser.add_argument(
    "-u",
    "--url",
    default=None,
    help="Find CVEs in this page"
)
args = parser.parse_args()

if args.cve_ids or args.url:
    if args.cve_ids:
        cveToFind = set(args.cve_ids)

    else:
        page = requests.get(args.url)
        if page.status_code == 200:
            cveList = re.findall("CVE-\\d{4}-\\d{4,7}",page.text)
            cveToFind = set(cveList)
    for c in cveToFind:
        knownBadCVEs.append({
            'cveId': c,
            'detection_found': "false"
        })

    print('cve,correlation_search_name')
    for detection in Path("security_content/detections/").rglob('*.yml'):
        with open (detection, 'r') as file:
            doc = yaml.load(file, Loader=yaml.FullLoader)
            if 'cve' in doc["tags"]:
                cvedict = doc["tags"]["cve"]
                name = "ESCU - " + doc["name"] + " - Rule"
                if len(cvedict) > 0: 
                    for cve_detection in cvedict:
                        for c in knownBadCVEs:
                            if c['cveId'] == cve_detection:
                                c['detection_found'] = "true"
                                print(cve_detection + "," + name)
    
    cveWithNoDetection = filter(lambda c: c['detection_found'] == "false", knownBadCVEs)
    prettyList = []
    for i in list(cveWithNoDetection):
        prettyList.append(i['cveId'])
    print("{0} CVEs with no detection found:".format(len(prettyList)))
    print(prettyList)


else:
    response = requests.get(cisaUrl)
    if response.status_code == 200:
    
        jsonData = json.loads(response.text)
        for cve in jsonData['vulnerabilities']:
            knownBadCVEs.append({
                'cveId' : cve['cveID'],
                'dateAdded': cve['dateAdded']})
    print('cve,correlation_search_name,cisa_known_exploited,cisa_date_added')
    for detection in Path("security_content/detections/").rglob('*.yml'):
        with open (detection, 'r') as file:
            doc = yaml.load(file, Loader=yaml.FullLoader)
            if 'cve' in doc["tags"]:
                cvedict = doc["tags"]["cve"]
                name = "ESCU - " + doc["name"] + " - Rule"
                if len(cvedict) > 0: 
                    for cve in cvedict:
                        for c in knownBadCVEs:
                            dateAdded = ""
                            knownBad = "false"
                            if c['cveId'] == cve:
                                knownBad = "true"
                                dateAdded = c['dateAdded']
                                break
                        print(cve + "," + name + "," + knownBad + "," + dateAdded)

Example Output as of 27APR2022 running in --cve-id/-I mode:

cve correlation_search_name
CVE-2020-1472,ESCU - Detect Zerologon via Zeek - Rule
CVE-2021-3156,ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule
CVE-2020-1472,ESCU - Detect Computer Changed with Anonymous Account - Rule
CVE-2021-3156,ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule
CVE-2021-44228,ESCU - Windows Java Spawning Shells - Rule
CVE-2021-3156,ESCU - Detect Baron Samedit CVE-2021-3156 - Rule
CVE-2021-44228,ESCU - Log4Shell JNDI Payload Injection Attempt - Rule
CVE-2021-44228,ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule
CVE-2021-44228,ESCU - Detect Outbound LDAP Traffic - Rule
CVE-2021-34527,ESCU - Suspicious Rundll32 no Command Line Arguments - Rule
CVE-2021-44228,ESCU - Curl Download and Bash Execution - Rule
CVE-2021-40444,ESCU - Rundll32 Control RunDLL Hunt - Rule
CVE-2021-34527,ESCU - Spoolsv Writing a DLL - Rule
CVE-2021-44228,ESCU - Outbound Network Connection from Java Using Default Ports - Rule
CVE-2021-40444,ESCU - Office Product Writing cab or inf - Rule
CVE-2021-44228,ESCU - Hunting for Log4Shell - Rule
CVE-2021-44228,ESCU - CMD Carry Out String Command Parameter - Rule
CVE-2021-34527,ESCU - Spoolsv Suspicious Process Access - Rule
CVE-2021-34527,ESCU - Spoolsv Suspicious Loaded Modules - Rule
CVE-2021-26857,ESCU - Unified Messaging Service Spawning a Process - Rule
CVE-2021-44228,ESCU - Java Class File download by Java User Agent - Rule
CVE-2021-40444,ESCU - Rundll32 Control RunDLL World Writable Directory - Rule
CVE-2021-40444,ESCU - Control Loading from World Writable Directory - Rule
CVE-2021-34473,ESCU - W3WP Spawning Shell - Rule
CVE-2021-34523,ESCU - W3WP Spawning Shell - Rule
CVE-2021-31207,ESCU - W3WP Spawning Shell - Rule
CVE-2021-44228,ESCU - Linux Java Spawning Shell - Rule
CVE-2021-40444,ESCU - MSHTML Module Load in Office Product - Rule
CVE-2021-44228,ESCU - Any Powershell DownloadFile - Rule
CVE-2021-34527,ESCU - Print Spooler Failed to Load a Plug-in - Rule
CVE-2021-1675,ESCU - Print Spooler Failed to Load a Plug-in - Rule
CVE-2021-40444,ESCU - Office Spawning Control - Rule
CVE-2021-34527,ESCU - Print Spooler Adding A Printer Driver - Rule
CVE-2021-1675,ESCU - Print Spooler Adding A Printer Driver - Rule
CVE-2021-34527,ESCU - Spoolsv Spawning Rundll32 - Rule
CVE-2021-34527,ESCU - Rundll32 with no Command Line Arguments with Network - Rule
CVE-2021-44228,ESCU - Wget Download and Bash Execution - Rule
CVE-2021-44228,ESCU - PowerShell - Connect To Internet With Hidden Window - Rule
CVE-2021-34527,ESCU - Spoolsv Writing a DLL - Sysmon - Rule
26 CVEs with no detection found:
['CVE-2021-27101', 'CVE-2021-26858', 'CVE-2019-11510', 'CVE-2021-27103', 'CVE-2021-22893', 'CVE-2017-11882', 'CVE-2021-21972', 'CVE-2017-0199', 'CVE-2021-27065', 'CVE-2020-0688', 'CVE-2021-21985', 'CVE-2019-19781', 'CVE-2019-18935', 'CVE-2020-2509', 'CVE-2021-26084', 'CVE-2021-27852', 'CVE-2021-27102', 'CVE-2021-26855', 'CVE-2021-35464', 'CVE-2021-27104', 'CVE-2021-20016', 'CVE-2018-0171', 'CVE-2021-20038', 'CVE-2021-40539', 'CVE-2018-13379', 'CVE-2021-42237']

and running in normal 'report all the CVEs and CISA KEVs mode':

cve,correlation_search_name,cisa_known_exploited,cisa_date_added
CVE-2020-5902,ESCU - Detect F5 TMUI RCE CVE-2020-5902 - Rule,true,2021-11-03
CVE-2020-1472,ESCU - Detect Zerologon via Zeek - Rule,true,2021-11-03
CVE-2020-1350,ESCU - Detect Windows DNS SIGRed via Zeek - Rule,true,2021-11-03
CVE-2020-1350,ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule,true,2021-11-03
CVE-2018-8440,ESCU - Child Processes of Spoolsv exe - Rule,true,2022-03-28
CVE-2021-3156,ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule,true,2022-04-06
CVE-2020-1472,ESCU - Detect Computer Changed with Anonymous Account - Rule,true,2021-11-03
CVE-2021-3156,ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule,true,2022-04-06
CVE-2021-44228,ESCU - Windows Java Spawning Shells - Rule,true,2021-12-10
CVE-2021-3156,ESCU - Detect Baron Samedit CVE-2021-3156 - Rule,true,2022-04-06
CVE-2021-31166,ESCU - WinRM Spawning a Process - Rule,true,2022-04-06
CVE-2022-22965,ESCU - Spring4Shell Payload URL Request - Rule,true,2022-04-04
CVE-2021-44228,ESCU - Log4Shell JNDI Payload Injection Attempt - Rule,true,2021-12-10
CVE-2022-22963,ESCU - Web Spring Cloud Function FunctionRouter - Rule,false,
CVE-2022-22965,ESCU - Web JSP Request via URL - Rule,true,2022-04-04
CVE-2022-22965,ESCU - Web Spring4Shell HTTP Request Class Module - Rule,true,2022-04-04
CVE-2021-44228,ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule,true,2021-12-10
CVE-2021-44228,ESCU - Detect Outbound LDAP Traffic - Rule,true,2021-12-10
CVE-2021-34527,ESCU - Suspicious Rundll32 no Command Line Arguments - Rule,true,2021-11-03
CVE-2021-44228,ESCU - Curl Download and Bash Execution - Rule,true,2021-12-10
CVE-2021-40444,ESCU - Rundll32 Control RunDLL Hunt - Rule,true,2021-11-03
CVE-2021-41379,ESCU - MSI Module Loaded by Non-System Binary - Rule,true,2022-03-03
CVE-2021-34527,ESCU - Spoolsv Writing a DLL - Rule,true,2021-11-03
CVE-2021-44228,ESCU - Outbound Network Connection from Java Using Default Ports - Rule,true,2021-12-10
CVE-2021-4034,ESCU - Linux pkexec Privilege Escalation - Rule,false,
CVE-2021-36934,ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule,true,2022-02-10
CVE-2021-40444,ESCU - Office Product Writing cab or inf - Rule,true,2021-11-03
CVE-2021-36942,ESCU - PetitPotam Network Share Access Request - Rule,true,2021-11-03
CVE-2021-44228,ESCU - Hunting for Log4Shell - Rule,true,2021-12-10
CVE-2021-44228,ESCU - CMD Carry Out String Command Parameter - Rule,true,2021-12-10
CVE-2021-36934,ESCU - SAM Database File Access Attempt - Rule,true,2022-02-10
CVE-2021-34527,ESCU - Spoolsv Suspicious Process Access - Rule,true,2021-11-03
CVE-2021-34527,ESCU - Spoolsv Suspicious Loaded Modules - Rule,true,2021-11-03
CVE-2022-22965,ESCU - Java Writing JSP File - Rule,true,2022-04-04
CVE-2021-26857,ESCU - Unified Messaging Service Spawning a Process - Rule,true,2021-11-03
CVE-2021-44228,ESCU - Java Class File download by Java User Agent - Rule,true,2021-12-10
CVE-2021-40444,ESCU - Rundll32 Control RunDLL World Writable Directory - Rule,true,2021-11-03
CVE-2021-40444,ESCU - Control Loading from World Writable Directory - Rule,true,2021-11-03
CVE-2021-34473,ESCU - W3WP Spawning Shell - Rule,true,2021-11-03
CVE-2021-34523,ESCU - W3WP Spawning Shell - Rule,true,2021-11-03
CVE-2021-31207,ESCU - W3WP Spawning Shell - Rule,true,2021-11-03
CVE-2021-44228,ESCU - Linux Java Spawning Shell - Rule,true,2021-12-10
CVE-2021-40444,ESCU - MSHTML Module Load in Office Product - Rule,true,2021-11-03
CVE-2021-44228,ESCU - Any Powershell DownloadFile - Rule,true,2021-12-10
CVE-2021-34527,ESCU - Print Spooler Failed to Load a Plug-in - Rule,true,2021-11-03
CVE-2021-1675,ESCU - Print Spooler Failed to Load a Plug-in - Rule,true,2021-11-03
CVE-2021-40444,ESCU - Office Spawning Control - Rule,true,2021-11-03
CVE-2021-36942,ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule,true,2021-11-03
CVE-2021-42287,ESCU - Suspicious Computer Account Name Change - Rule,true,2022-04-11
CVE-2021-42278,ESCU - Suspicious Computer Account Name Change - Rule,true,2022-04-11
CVE-2021-34527,ESCU - Print Spooler Adding A Printer Driver - Rule,true,2021-11-03
CVE-2021-1675,ESCU - Print Spooler Adding A Printer Driver - Rule,true,2021-11-03
CVE-2021-34527,ESCU - Spoolsv Spawning Rundll32 - Rule,true,2021-11-03
CVE-2021-34527,ESCU - Rundll32 with no Command Line Arguments with Network - Rule,true,2021-11-03
CVE-2021-44228,ESCU - Wget Download and Bash Execution - Rule,true,2021-12-10
CVE-2021-44228,ESCU - PowerShell - Connect To Internet With Hidden Window - Rule,true,2021-12-10
CVE-2021-34527,ESCU - Spoolsv Writing a DLL - Sysmon - Rule,true,2021-11-03
CVE-2021-42287,ESCU - Suspicious Kerberos Service Ticket Request - Rule,true,2022-04-11
CVE-2021-42278,ESCU - Suspicious Kerberos Service Ticket Request - Rule,true,2022-04-11
CVE-2021-3422,ESCU - Splunk DoS via Malformed S2S Request - Rule,false,
CVE-2018-11409,ESCU - Splunk Enterprise Information Disclosure - Rule,false,
CVE-2016-4859,ESCU - Open Redirect in Splunk Web - Rule,false,
CVE-2017-5753,ESCU - Spectre and Meltdown Vulnerable Systems - Rule,false,