CVE-2021-1675 Print Spooler Exploitation IPC Access

calendar Oct 15, 2023 · attack.execution attack.t1569 cve.2021.1675 cve.2021.34527 detection.emerging_threats  ·
Share on: linkedin copy

Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527

Sigma rule (View on GitHub)

 1title: CVE-2021-1675 Print Spooler Exploitation IPC Access
 2id: 8fe1c584-ee61-444b-be21-e9054b229694
 3status: test
 4description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527
 5references:
 6    - https://twitter.com/INIT_3/status/1410662463641731075
 7author: INIT_6
 8date: 2021/07/02
 9modified: 2022/10/05
10tags:
11    - attack.execution
12    - attack.t1569
13    - cve.2021.1675
14    - cve.2021.34527
15    - detection.emerging_threats
16logsource:
17    product: windows
18    service: security
19detection:
20    selection:
21        EventID: 5145
22        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
23        RelativeTargetName: 'spoolss'
24        AccessMask: '0x3'
25        ObjectType: 'File'
26    condition: selection
27falsepositives:
28    - Unknown
29level: critical

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top