Potential PrintNightmare Exploitation Attempt

calendar Nov 10, 2025 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.t1574 cve.2021-1675 detection.emerging-threats  ·
Share on: linkedin copy

Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675

Sigma rule (View on GitHub)

 1title: Potential PrintNightmare Exploitation Attempt
 2id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf
 3status: test
 4description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
 5references:
 6    - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
 7    - https://github.com/cube0x0/CVE-2021-1675
 8author: Bhabesh Raj
 9date: 2021-07-01
10modified: 2023-02-17
11tags:
12    - attack.persistence
13    - attack.defense-evasion
14    - attack.privilege-escalation
15    - attack.t1574
16    - cve.2021-1675
17    - detection.emerging-threats
18logsource:
19    category: file_delete
20    product: windows
21detection:
22    selection:
23        Image|endswith: '\spoolsv.exe'
24        TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top