CVE-2021-1675 Print Spooler Exploitation Filename Pattern
Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
Sigma rule (View on GitHub)
1title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern
2id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
3status: test
4description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
5references:
6 - https://github.com/hhlxf/PrintNightmare
7 - https://github.com/afwu/PrintNightmare
8 - https://github.com/cube0x0/CVE-2021-1675
9author: Florian Roth (Nextron Systems)
10date: 2021/06/29
11modified: 2022/12/25
12tags:
13 - attack.execution
14 - attack.privilege_escalation
15 - attack.resource_development
16 - attack.t1587
17 - cve.2021.1675
18 - detection.emerging_threats
19logsource:
20 category: file_event
21 product: windows
22detection:
23 selection:
24 TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
25 condition: selection
26falsepositives:
27 - Unknown
28fields:
29 - ComputerName
30 - TargetFilename
31level: critical
References
Related rules
- Suspicious Word Cab File Write CVE-2021-40444
- CVE-2021-1675 Print Spooler Exploitation IPC Access
- Possible CVE-2021-1675 Print Spooler Exploitation
- FoggyWeb Backdoor DLL Loading
- Potential CVE-2023-21554 QueueJumper Exploitation