Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
Sigma rule (View on GitHub)
1title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
2id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
3status: stable
4description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
5references:
6 - https://twitter.com/mvelazco/status/1410291741241102338
7 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
8 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
9author: Sittikorn S, Nuttakorn T, Tim Shelton
10date: 2021-07-01
11modified: 2023-10-23
12tags:
13 - attack.defense-evasion
14 - attack.privilege-escalation
15 - attack.t1055
16 - detection.emerging-threats
17logsource:
18 category: antivirus
19detection:
20 selection:
21 Filename|contains: ':\Windows\System32\spool\drivers\x64\'
22 keywords:
23 - 'File submitted to Symantec' # symantec fp, pending analysis, more generic
24 condition: selection and not keywords
25falsepositives:
26 - Unlikely, or pending PSP analysis
27level: critical
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Injected Browser Process Spawning Rundll32 - GuLoader Activity
- Lummac Stealer Activity - Execution Of More.com And Vbc.exe
- APT PRIVATELOG Image Load Pattern
- Malware Shellcode in Verclsid Target Process
- Potential Dridex Activity