Possible CVE-2021-1675 Print Spooler Exploitation
Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
Sigma rule (View on GitHub)
1title: Possible CVE-2021-1675 Print Spooler Exploitation
2id: 4e64668a-4da1-49f5-a8df-9e2d5b866718
3status: test
4description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
5references:
6 - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
7 - https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare
8 - https://twitter.com/fuzzyf10w/status/1410202370835898371
9author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim Shelton
10date: 2021-06-30
11modified: 2022-11-15
12tags:
13 - attack.execution
14 - attack.t1569
15 - cve.2021-1675
16 - detection.emerging-threats
17logsource:
18 product: windows
19 service: printservice-admin
20detection:
21 selection:
22 EventID: 808
23 ErrorCode:
24 - '0x45A'
25 - '0x7e'
26 keywords:
27 - 'The print spooler failed to load a plug-in module'
28 # default file names used in PoC codes
29 - 'MyExploit.dll'
30 - 'evil.dll'
31 - '\addCube.dll'
32 - '\rev.dll'
33 - '\rev2.dll'
34 - '\main64.dll'
35 - '\mimilib.dll'
36 - '\mimispool.dll'
37 falsepositive:
38 - ' registration timed out' # ex: The print spooler failed to load a plug-in module PrintConfig registration timed out
39 condition: (selection or keywords) and not falsepositive
40fields:
41 - PluginDllName
42falsepositives:
43 - Problems with printer drivers
44level: high
References
Related rules
- CVE-2021-1675 Print Spooler Exploitation
- CVE-2021-1675 Print Spooler Exploitation IPC Access
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- Cicada Ransomware PSExec File Creation
- Cicada3301 Ransomware Execution via PSExec