Potential SystemNightmare Exploitation Attempt
Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
Sigma rule (View on GitHub)
1title: Potential SystemNightmare Exploitation Attempt
2id: c01f7bd6-0c1d-47aa-9c61-187b91273a16
3status: test
4description: Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
5references:
6 - https://github.com/GossiTheDog/SystemNightmare
7author: Florian Roth (Nextron Systems)
8date: 2021-08-11
9modified: 2023-02-04
10tags:
11 - attack.privilege-escalation
12 - attack.t1068
13 - detection.emerging-threats
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 CommandLine|contains:
20 - 'printnightmare.gentilkiwi.com'
21 - ' /user:gentilguest '
22 - 'Kiwi Legit Printer'
23 condition: selection
24falsepositives:
25 - Unknown
26level: critical
References
Related rules
- Exploiting SetupComplete.cmd CVE-2019-1378
- APT PRIVATELOG Image Load Pattern
- Audit CVE Event
- Buffer Overflow Attempts
- CVE-2022-24527 Microsoft Connected Cache LPE