PrinterNightmare Mimikatz Driver Name

calendar Nov 10, 2025 · attack.execution attack.t1204 cve.2021-1675 cve.2021-34527 detection.emerging-threats  ·
Share on: linkedin copy

Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527

Sigma rule (View on GitHub)

 1title: PrinterNightmare Mimikatz Driver Name
 2id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
 3status: test
 4description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
 5references:
 6    - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
 7    - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
 8    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
 9    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
10    - https://nvd.nist.gov/vuln/detail/cve-2021-34527
11author: Markus Neis, @markus_neis, Florian Roth
12date: 2021-07-04
13modified: 2023-06-12
14tags:
15    - attack.execution
16    - attack.t1204
17    - cve.2021-1675
18    - cve.2021-34527
19    - detection.emerging-threats
20logsource:
21    product: windows
22    category: registry_event
23detection:
24    selection:
25        TargetObject|contains:
26            - '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
27            - '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
28    selection_alt:
29        TargetObject|contains|all:
30            - 'legitprinter'
31            - '\Control\Print\Environments\Windows'
32    selection_print:
33        TargetObject|contains:
34            - '\Control\Print\Environments'
35            - '\CurrentVersion\Print\Printers'
36    selection_kiwi:
37        TargetObject|contains:
38            - 'Gentil Kiwi'
39            - 'mimikatz printer'
40            - 'Kiwi Legit Printer'
41    condition: selection or selection_alt or (selection_print and selection_kiwi)
42falsepositives:
43    - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
44level: critical

References

  • [new] mimikatz misc::printnightmare little POC · gentilkiwi/mimikatz@c212760

    A little tool to play with Windows security. Contribute to gentilkiwi/mimikatz development by creating an account on GitHub.


    Read More

  • %PDF-1.6 %âãÏÓ 41 0 obj endobj 55 0 obj /Filter/FlateDecode/ID[ ]/Index[41 20]/Info 40 0 R/Length 74/Prev 180217/Root 42 0 R/Size 61/Type/XRef/W[1 2 1]>>stream hÞbbd``b`š$ìA,më.�`ý"N€ˆ^ ÁÒb=...


    Read More

  • [MS-RPRN]: DRIVER_INFO and RPC_DRIVER_INFO Members

    This section describes members commonly used in DRIVER_INFO (section 2.2.1.5) and RPC_DRIVER_INFO (section 2.2.1.3.1)


    Read More

  • NVD - cve-2021-1675

    http://packetstormsecurity.com/files/163349/Microsoft-PrintNightmare-Proof-Of-Concept.html CVE, Microsoft Corporation Third Party Advisory  VDB Entry  http://packetstormsecurity.com/files/163351/Pr...


    Read More

  • NVD - cve-2021-34527

    CVE-2021-34527 Detail Modified This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes. Descript...


    Read More

Related rules

to-top