Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
Sigma rule (View on GitHub)
1title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
2id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
3status: stable
4description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
5references:
6 - https://twitter.com/mvelazco/status/1410291741241102338
7 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
8 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
9author: Sittikorn S, Nuttakorn T, Tim Shelton
10date: 2021/07/01
11modified: 2023/10/23
12tags:
13 - attack.privilege_escalation
14 - attack.t1055
15logsource:
16 category: antivirus
17detection:
18 selection:
19 Filename|contains: ':\Windows\System32\spool\drivers\x64\'
20 keywords:
21 - 'File submitted to Symantec' # symantec fp, pending analysis, more generic
22 condition: selection and not keywords
23falsepositives:
24 - Unlikely, or pending PSP analysis
25level: critical
References
Related rules
- DotNet CLR DLL Loaded By Scripting Applications
- Suspect Svchost Activity
- HackTool - CoercedPotato Named Pipe Creation
- Network Connections Where There Should Not Be (Notepad)
- Suspicious Child Process Of Wermgr.EXE