Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection

Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .

Sigma rule (View on GitHub)

 1title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
 2id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
 3status: stable
 4description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
 5references:
 6    - https://twitter.com/mvelazco/status/1410291741241102338
 7    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
 8    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
 9author: Sittikorn S, Nuttakorn T, Tim Shelton
10date: 2021-07-01
11modified: 2023-10-23
12tags:
13    - attack.privilege-escalation
14    - attack.t1055
15logsource:
16    category: antivirus
17detection:
18    selection:
19        Filename|contains: ':\Windows\System32\spool\drivers\x64\'
20    keywords:
21        - 'File submitted to Symantec' # symantec fp, pending analysis, more generic
22    condition: selection and not keywords
23falsepositives:
24    - Unlikely, or pending PSP analysis
25level: critical

References

Related rules

to-top