@blamejs/exceptd-skills 0.15.14 → 0.15.15

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.15.15 — 2026-05-29
+
+Draft-curation pass 13 — Windows kernel/driver LPE. Seven CISA KEV-listed Windows local-privilege-escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: a Common Log File System (CLFS) driver use-after-free (CVE-2025-32701 — CLFS is a recurring kernel-LPE target), a race condition (CVE-2025-62215), an untrusted-pointer dereference (CVE-2025-24990), link-following (CVE-2025-60710), a kernel out-of-bounds read primitive (CVE-2023-36424), an information-disclosure primitive (CVE-2026-20805), and improper privilege management (CVE-2021-43226). All map T1068 (Exploitation for Privilege Escalation). The lessons frame these as the second half of the ransomware chain (initial access → unpatched LPE → SYSTEM within hours) and stress hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist as load-bearing endpoint controls beyond the patch.
+
 ## 0.15.14 — 2026-05-29
 
 Draft-curation pass 12 — legacy Microsoft client-side RCEs. Six CISA KEV-listed older Microsoft document / browser / font-parsing RCEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Office (CVE-2009-0238), PowerPoint (CVE-2009-0556), Excel (CVE-2007-0671), Internet Explorer (CVE-2010-3962 — a landmark IE zero-day from the Operation Aurora era), Windows TrueType font parsing (CVE-2011-3402 — the Duqu zero-day), and Windows InformationCardSigninHelper ActiveX (CVE-2013-3918). All map T1203 (Exploitation for Client Execution). The lessons frame these as long-tail KEV re-listings — the patch landed years ago, but CISA re-lists because unpatched legacy estates remain exposed; centralized patch management plus Office hardening (Protected View, ASR rules) are the load-bearing controls.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T20:50:15.179Z",
+  "generated_at": "2026-05-29T21:03:43.254Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "07a6b22fe3f85de5ff139faa70278981d59d6eeec0c465fb0a8559724df50617",
+    "manifest.json": "4583ef83386e42795c8990101aaad4526d7965db5c29cabb4899d8b4d807a3ca",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "523e511ea16852804bb9c5a7b898b64d39180164e3a3eb09a88df10c84d46bf2",
-    "data/cve-catalog.json": "f2ea8df743747001bd8ba86b6353fc76dbd5cb1a8bf8b99d7f9ac8e0addccec3",
+    "data/attack-techniques.json": "8a593b6a67125e0eb4e5d167654b5fc24531ca2f95be4362a1c4d80e3df2d3a3",
+    "data/cve-catalog.json": "a97c16dbf941e68e2e0fda7a82d821e64952eb224170e48dfbd2c5a2af61999d",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "4a5cb953b7645f0d8cf5463f9aa7abea1dc56bca8293e5148458e7d047c0ea18",
+    "data/zeroday-lessons.json": "23155c21ee4dd4e7a6402cd4215f266dae559892b3f317e43fac9f64f4a10ef2",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -480,6 +480,7 @@
       "CVE-2020-17103-REREGRESSION-2026",
       "CVE-2021-30952",
       "CVE-2021-43226",
+      "CVE-2023-36424",
       "CVE-2023-41974",
       "CVE-2023-43000",
       "CVE-2024-0769",
@@ -501,6 +502,7 @@
       "CVE-2025-62849",
       "CVE-2026-0300",
       "CVE-2026-20122",
+      "CVE-2026-20805",
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-33825",

package/data/cve-catalog.json

@@ -9480,7 +9480,7 @@
     "cwe_refs": [
       "CWE-59"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60710",
@@ -9509,11 +9509,21 @@
         "published_date": "2026-04-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-27. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60710 ; https://nvd.nist.gov/vuln/detail/CVE-2025-60710",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows contains a link following vulnerability that allows for privilege escalation"
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows contains a link following vulnerability that allows for privilege escalation",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with a link-following / symlink-handling flaw (CWE-59) in a Windows component on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation), with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-60710, CISA KEV (added 2026-04-13), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2023-21529": {
     "name": "Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability",
@@ -9662,7 +9672,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1005"
+      "T1005",
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -9683,7 +9694,7 @@
     "cwe_refs": [
       "CWE-125"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36424",
@@ -9712,11 +9723,21 @@
         "published_date": "2026-04-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-27. Notes reference: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36424 ; https://nvd.nist.gov/vuln/detail/CVE-2023-36424",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation"
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with an out-of-bounds read (CWE-125) in a Windows kernel/driver component on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation), with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-36424, CISA KEV (added 2026-04-13), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2020-9715": {
     "name": "Adobe Acrobat Use-After-Free Vulnerability",
@@ -26996,7 +27017,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1005"
+      "T1005",
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -27017,7 +27039,7 @@
     "cwe_refs": [
       "CWE-200"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-20805",
@@ -27046,11 +27068,21 @@
         "published_date": "2026-01-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-13; due date 2026-02-03. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-20805 ; https://nvd.nist.gov/vuln/detail/CVE-2026-20805",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with an information-disclosure flaw (CWE-200) in a Windows component on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation), with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-20805, CISA KEV (added 2026-01-13), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-8110": {
     "name": "Gogs Path Traversal Vulnerability",
@@ -29674,7 +29706,7 @@
     "cwe_refs": [
       "CWE-362"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-62215",
@@ -29703,11 +29735,21 @@
         "published_date": "2025-11-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-12; due date 2025-12-03. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-62215 ; https://nvd.nist.gov/vuln/detail/CVE-2025-62215",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could enable the attacker to gain SYSTEM-level access."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could enable the attacker to gain SYSTEM-level access.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with a race condition (CWE-362) in a Windows kernel-mode component on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation), with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-62215, CISA KEV (added 2025-11-12), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-9242": {
     "name": "WatchGuard Firebox Out-of-Bounds Write Vulnerability",
@@ -31522,7 +31564,7 @@
     "cwe_refs": [
       "CWE-822"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-24990",
@@ -31551,11 +31593,21 @@
         "published_date": "2025-10-14"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-14; due date 2025-11-04. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-24990 ; https://nvd.nist.gov/vuln/detail/CVE-2025-24990",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain administrator privileges."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain administrator privileges.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with an untrusted-pointer-dereference flaw (CWE-822) in a Windows kernel-mode component on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation), with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-24990, CISA KEV (added 2025-10-14), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-59230": {
     "name": "Microsoft Windows Improper Access Control Vulnerability",
@@ -32214,7 +32266,7 @@
     "cwe_refs": [
       "CWE-269"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43226",
@@ -32243,11 +32295,21 @@
         "published_date": "2025-10-06"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43226 ; https://nvd.nist.gov/vuln/detail/CVE-2021-43226",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Common Log File System Driver contains a privilege escalation vulnerability that could allow a local, privileged attacker to bypass certain security mechanisms."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Common Log File System Driver contains a privilege escalation vulnerability that could allow a local, privileged attacker to bypass certain security mechanisms.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with an improper privilege-management flaw (CWE-269) on Windows on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation), with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-43226, CISA KEV (added 2025-10-06), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2013-3918": {
     "name": "Microsoft Windows Out-of-Bounds Write Vulnerability",
@@ -41269,7 +41331,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32701",
@@ -41298,11 +41360,21 @@
         "published_date": "2025-05-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-13; due date 2025-06-03. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32701 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32701",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.",
+    "iocs": {
+      "behavioral": [
+        "Windows Common Log File System (CLFS) Driver at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with a use-after-free (CWE-416) in the Windows Common Log File System (CLFS) driver — a recurring kernel-LPE target — exploited by a local foothold to escalate to SYSTEM on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation), with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-32701, CISA KEV (added 2025-05-13), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-12450": {
     "name": "RAGFlow web_crawl Full-Read SSRF + Arbitrary File Read",