Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
Sigma rule (View on GitHub)
1title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
2id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
3status: stable
4description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
5references:
6 - https://twitter.com/mvelazco/status/1410291741241102338
7 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
8 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
9author: Sittikorn S, Nuttakorn T, Tim Shelton
10date: 2021-07-01
11modified: 2023-10-23
12tags:
13 - attack.privilege-escalation
14 - attack.t1055
15 - detection.emerging-threats
16logsource:
17 category: antivirus
18detection:
19 selection:
20 Filename|contains: ':\Windows\System32\spool\drivers\x64\'
21 keywords:
22 - 'File submitted to Symantec' # symantec fp, pending analysis, more generic
23 condition: selection and not keywords
24falsepositives:
25 - Unlikely, or pending PSP analysis
26level: critical
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- APT PRIVATELOG Image Load Pattern
- Malware Shellcode in Verclsid Target Process
- Potential Dridex Activity
- Potential Raspberry Robin Aclui Dll SideLoading
- Kapeka Backdoor Scheduled Task Creation