Detects attempts and successful exploitation of CVE-2022-26809# CVE-2022-26809
Detects attempts and successful exploitation of
[CVE-2022-26809](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809),
a remote code execution vulnerability over DCE/RPC. This package is described in
detail in [this Corelight blogpost](https://corelight.com/blog/another-day-another-dce-rpc-rce). This package generates the following
notices:
* `CVE_2022_26809::ExploitAttempt`, and
* `CVE_2022_26809::ExploitSuccess`
The first is generated when an attack is attempted, but does not necessarily
succeed. The second is fired only when a successful exploit is detected and
should be investigated immediately. No new logs are generated. This package can
be installed with `zkg` using the following commands:
```
$ zkg refresh
$ zkg install cve-2022-26809
```
Corelight customers can install it by updating the CVE bundle.
[4.0K] /data/pocs/b614d316258f835e0aa63e203be484d4b03769d2
├── [1.5K] LICENSE
├── [ 858] README.md
├── [4.0K] scripts
│ ├── [ 13] __load__.zeek
│ └── [3.2K] main.zeek
├── [4.0K] testing
│ ├── [4.0K] Baseline
│ │ └── [4.0K] tests.exploit
│ │ └── [ 495] notice.log
│ ├── [ 558] btest.cfg
│ ├── [4.0K] Files
│ │ └── [ 192] random.seed
│ ├── [ 28] Makefile
│ ├── [4.0K] Scripts
│ │ ├── [ 383] diff-remove-timestamps
│ │ ├── [1.3K] get-zeek-env
│ │ └── [ 303] README
│ ├── [4.0K] tests
│ │ └── [ 319] exploit
│ └── [4.0K] Traces
│ └── [ 24K] cve-2022-26809-4.pcap
└── [ 355] zkg.meta
8 directories, 14 files