CVE-2021-1675 Print Spooler Exploitation
Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
Sigma rule (View on GitHub)
1title: CVE-2021-1675 Print Spooler Exploitation
2id: f34d942d-c8c4-4f1f-b196-22471aecf10a
3status: test
4description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
5references:
6 - https://twitter.com/MalwareJake/status/1410421967463731200
7author: Florian Roth (Nextron Systems)
8date: 2021/07/01
9modified: 2022/10/09
10tags:
11 - attack.execution
12 - attack.t1569
13 - cve.2021.1675
14 - detection.emerging_threats
15logsource:
16 product: windows
17 service: printservice-operational
18detection:
19 selection:
20 EventID: 316
21 keywords:
22 - 'UNIDRV.DLL, kernelbase.dll, '
23 - ' 123 '
24 - ' 1234 '
25 - 'mimispool'
26 condition: selection and keywords
27fields:
28 - DriverAdded
29falsepositives:
30 - Unknown
31level: critical
References
Related rules
- Blue Mockingbird
- DNS RCE CVE-2020-1350
- DarkSide Ransomware Pattern
- Elise Backdoor Activity
- Exploit for CVE-2017-0261