Merge PR SigmaHQ#5007 from @fukusuket - Fix unreachable GitHub URL re…

…ferences

chore: CVE-2021-1675 Print Spooler Exploitation Filename Pattern - Fix unreachable GitHub URL references
chore: HackTool - DInjector PowerShell Cradle Execution - Fix unreachable GitHub URL references
chore: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event - Fix unreachable GitHub URL references
chore: LPE InstallerFileTakeOver PoC CVE-2021-41379  - Fix unreachable GitHub URL references
chore: Malicious PowerShell Scripts - FileCreation - Fix unreachable GitHub URL references
chore: Malicious PowerShell Scripts - PoshModule - Fix unreachable GitHub URL references
chore: Possible CVE-2021-1675 Print Spooler Exploitation - Fix unreachable GitHub URL references
chore: Potential NT API Stub Patching - Fix unreachable GitHub URL references
chore: Potential PrintNightmare Exploitation Attempt - Fix unreachable GitHub URL references
chore: Potential RDP Exploit CVE-2019-0708 - Fix unreachable GitHub URL references
chore: Potential SAM Database Dump - Fix unreachable GitHub URL references
chore: Scanner PoC for CVE-2019-0708 RDP RCE Vuln - Fix unreachable GitHub URL references
chore: Suspicious Rejected SMB Guest Logon From IP - Fix unreachable GitHub URL references
chore: Windows Spooler Service Suspicious Binary Load - Fix unreachable GitHub URL references

deprecated/windows/proc_access_win_susp_invoke_patchingapi.yml

@@ -3,7 +3,7 @@ id: b916cba1-b38a-42da-9223-17114d846fd6
 status: deprecated
 description: Detects potential NT API stub patching as seen used by the project PatchingAPI
 references:
-    - https://github.com/D1rkMtr/UnhookingPatch
+    - https://web.archive.org/web/20230106211702/https://github.com/D1rkMtr/UnhookingPatch
     - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
 author: frack113
 date: 2023/01/07

rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml

@@ -3,8 +3,8 @@ id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
 status: test
 description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
 references:
-    - https://github.com/hhlxf/PrintNightmare
-    - https://github.com/afwu/PrintNightmare
+    - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
+    - https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare
     - https://github.com/cube0x0/CVE-2021-1675
 author: Florian Roth (Nextron Systems)
 date: 2021-06-29

rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml

@@ -3,8 +3,8 @@ id: 4e64668a-4da1-49f5-a8df-9e2d5b866718
 status: test
 description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
 references:
-    - https://github.com/hhlxf/PrintNightmare
-    - https://github.com/afwu/PrintNightmare
+    - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
+    - https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare
     - https://twitter.com/fuzzyf10w/status/1410202370835898371
 author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim Shelton
 date: 2021-06-30

rules-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml

@@ -3,7 +3,7 @@ id: 3be82d5d-09fe-4d6a-a275-0d40d234d324
 status: test
 description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
 references:
-    - https://github.com/klinix5/InstallerFileTakeOver
+    - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
     - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
 author: Florian Roth (Nextron Systems)
 date: 2021-11-22

rules-emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml

@@ -3,7 +3,7 @@ id: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8
 status: test
 description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
 references:
-    - https://github.com/klinix5/InstallerFileTakeOver
+    - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
 author: Florian Roth (Nextron Systems)
 date: 2021-11-22
 modified: 2022-07-12

rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml

@@ -4,7 +4,7 @@ status: test
 description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to  CVE-2019-0708 RDP RCE aka BlueKeep
 references:
     - https://twitter.com/AdamTheAnalyst/status/1134394070045003776
-    - https://github.com/zerosum0x0/CVE-2019-0708
+    - https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708
 author: Florian Roth (Nextron Systems), Adam Bradbury (idea)
 date: 2019-06-02
 modified: 2022-12-25

rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml

@@ -4,8 +4,8 @@ status: test
 description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
 references:
     - https://twitter.com/KevTheHermit/status/1410203844064301056
-    - https://github.com/hhlxf/PrintNightmare
-    - https://github.com/afwu/PrintNightmare
+    - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
+    - https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare
 author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w
 date: 2021-06-30
 modified: 2023-01-02

rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml

@@ -3,7 +3,7 @@ id: aaa5b30d-f418-420b-83a0-299cb6024885
 status: test
 description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
 references:
-    - https://github.com/zerosum0x0/CVE-2019-0708
+    - https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708
     - https://github.com/Ekultek/BlueKeep
 author: 'Lionel PRAT, Christophe BROCAS, @atc_project (improvements)'
 date: 2019-05-24

rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml

@@ -3,7 +3,7 @@ id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf
 status: test
 description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
 references:
-    - https://github.com/hhlxf/PrintNightmare
+    - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
     - https://github.com/cube0x0/CVE-2021-1675
 author: Bhabesh Raj
 date: 2021-07-01

rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml

@@ -9,7 +9,7 @@ references:
     - https://github.com/PowerShellMafia/PowerSploit
     - https://github.com/NetSPI/PowerUpSQL
     - https://github.com/CsEnox/EventViewer-UACBypass
-    - https://github.com/AlsidOfficial/WSUSpendu/
+    - https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
     - https://github.com/nettitude/Invoke-PowerThIEf
     - https://github.com/S3cur3Th1sSh1t/WinPwn
     - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries

rules/windows/file/file_event/file_event_win_sam_dump.yml

@@ -4,7 +4,7 @@ status: test
 description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
 references:
     - https://github.com/search?q=CVE-2021-36934
-    - https://github.com/cube0x0/CVE-2021-36934
+    - https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934
     - https://www.google.com/search?q=%22reg.exe+save%22+sam
     - https://github.com/HuskyHacks/ShadowSteal
     - https://github.com/FireFart/hivenightmare

rules/windows/image_load/image_load_spoolsv_dll_load.yml

@@ -3,7 +3,7 @@ id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14
 status: test
 description: Detect DLL Load from Spooler Service backup folder
 references:
-    - https://github.com/hhlxf/PrintNightmare
+    - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
     - https://github.com/ly4k/SpoolFool
 author: FPT.EagleEye, Thomas Patzke (improvements)
 date: 2021-06-29

rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml

@@ -11,7 +11,7 @@ references:
     - https://github.com/PowerShellMafia/PowerSploit
     - https://github.com/NetSPI/PowerUpSQL
     - https://github.com/CsEnox/EventViewer-UACBypass
-    - https://github.com/AlsidOfficial/WSUSpendu/
+    - https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
     - https://github.com/nettitude/Invoke-PowerThIEf
     - https://github.com/S3cur3Th1sSh1t/WinPwn
     - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries

rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml

@@ -3,7 +3,7 @@ id: d78b5d61-187d-44b6-bf02-93486a80de5a
 status: test
 description: Detects the use of the Dinject PowerShell cradle based on the specific flags
 references:
-    - https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork
+    - https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork
 author: Florian Roth (Nextron Systems)
 date: 2021-12-07
 modified: 2023-02-04