CVE-2021-1675 Print Spooler Exploitation

calendar Aug 12, 2024 · attack.execution attack.t1569 cve.2021-1675 detection.emerging-threats  ·
Share on: linkedin copy

Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675

Sigma rule (View on GitHub)

 1title: CVE-2021-1675 Print Spooler Exploitation
 2id: f34d942d-c8c4-4f1f-b196-22471aecf10a
 3status: test
 4description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
 5references:
 6    - https://twitter.com/MalwareJake/status/1410421967463731200
 7author: Florian Roth (Nextron Systems)
 8date: 2021-07-01
 9modified: 2022-10-09
10tags:
11    - attack.execution
12    - attack.t1569
13    - cve.2021-1675
14    - detection.emerging-threats
15logsource:
16    product: windows
17    service: printservice-operational
18detection:
19    selection:
20        EventID: 316
21    keywords:
22        - 'UNIDRV.DLL, kernelbase.dll, '
23        - ' 123 '
24        - ' 1234 '
25        - 'mimispool'
26    condition: selection and keywords
27fields:
28    - DriverAdded
29falsepositives:
30    - Unknown
31level: critical

References

Related rules

to-top