3,747 ready-to-deploy Sigma detections and 5,017 CVEs from RedEye Security, served over STIX 2.1 / TAXII 2.1 and as plain bundle downloads. Point any TIP at one URL.
The community Sigma detection corpus (SigmaHQ) as STIX 2.1 indicators (pattern_type=sigma), redistributed under the Detection Rule License (DRL 1.1) with attribution to SigmaHQ and rule authors.
171 MITRE ATT&CK techniques of coverage, ready to transpile to any SIEM query language (Splunk, Sentinel, Elastic, QRadar, and more).
Sigma detections (STIX indicators) for published CVEs, paired with the related CVE vulnerability objects (NVD-backfilled, CISA-KEV and EPSS enriched).
17 carry a generated Sigma detection so far; the rest gain detections automatically as CVE Forge runs.
Most feeds hand you indicators (IPs, hashes, domains) and leave the detection engineering to you. The public Sigma corpus is excellent but human-written for known techniques, so a freshly disclosed CVE can sit for weeks, or forever, with no rule.
CVE Forge closes that gap. The moment a CVE lands on NVD, our Etairos-powered pipeline reads the vulnerability and uses an LLM to author a Sigma detection for that specific CVE, then transpiles and validates it. Ready-to-deploy content for vulnerabilities no public rule set has reached yet. Curated breadth from the Sigma Library, plus CVE-specific coverage within minutes from the Forge.
title: "CVE-2021-34527 \u2014 Windows Print Spooler privilege escalation to SYSTEM\ \ (PrintNightmare/\"MiniPlasma\")" id: cve-2021-34527-printspooler-lpe status: experimental description: 'Local privilege escalation in the Windows Print Spooler service allowing an unprivileged user to execute code as SYSTEM. Detection of exploitation requires Windows endpoint process/image-load telemetry (e.g. spoolsv.exe spawning child processes or loading DLLs from the spool driver directory), which is not present in this data lake. ' references: - https://nvd.nist.gov/vuln/detail/CVE-2021-34527 - https://threat-intelligence.redeyesecurity.com/blog/windows-miniplasma-zero-day-system-access-2026.html
title: Credentials In Files
id: 53b1b378-9b06-4992-b972-dde6e423d2b4
status: test
description: Detecting attempts to extract passwords with grep and laZagne
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: macosThe detection rule. The logic ("if these log fields match, alert"). Vendor-neutral; transpiles to any SIEM. The content.
The format. A standard JSON envelope. A Sigma rule rides inside a STIX Indicator; CVEs are STIX Vulnerability objects. The packaging.
The transport. The HTTP API your tools poll to discover and pull STIX. The delivery. The LLM only authors Sigma; STIX/TAXII are deterministic.
External exposure intelligence — passive attack-surface and CVE-exposure scans for any organization.
Open Lighthouse →RedEye's threat-intel briefings and ICS / critical-infrastructure security research.
Read the blog →The Splunk-compatible SIEM and security data-lake engine behind the CVE Forge and these feeds.
Explore Caver →