CVE-2021-1675 Print Spooler Exploitation IPC Access

Aug 12, 2024 · attack.execution attack.t1569 cve.2021-1675 cve.2021-34527 detection.emerging-threats ·

Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527

Sigma rule (View on GitHub)

 1title: CVE-2021-1675 Print Spooler Exploitation IPC Access
 2id: 8fe1c584-ee61-444b-be21-e9054b229694
 3status: test
 4description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527
 5references:
 6    - https://twitter.com/INIT_3/status/1410662463641731075
 7author: INIT_6
 8date: 2021-07-02
 9modified: 2022-10-05
10tags:
11    - attack.execution
12    - attack.t1569
13    - cve.2021-1675
14    - cve.2021-34527
15    - detection.emerging-threats
16logsource:
17    product: windows
18    service: security
19detection:
20    selection:
21        EventID: 5145
22        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
23        RelativeTargetName: 'spoolss'
24        AccessMask: '0x3'
25        ObjectType: 'File'
26    condition: selection
27falsepositives:
28    - Unknown
29level: critical

References

x.com

Read More

CVE-2021-1675 Print Spooler Exploitation IPC Access

Sigma rule (View on GitHub)

References

x.com

Related rules