Possible PrintNightmare Print Driver Install

Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.

Sigma rule (View on GitHub)

 1title: Possible PrintNightmare Print Driver Install
 2id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8
 3related:
 4    - id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
 5      type: derived
 6status: stable
 7description: |
 8    Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).
 9    The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.    
10references:
11    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29
12    - https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek
13    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
14    - https://github.com/corelight/CVE-2021-1675
15    - https://old.zeek.org/zeekweek2019/slides/bzar.pdf
16    - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
17
18author: '@neu5ron (Nate Guagenti)'
19date: 2021/08/23
20modified: 2022/07/07
21tags:
22    - attack.execution
23    - cve.2021.1678
24    - cve.2021.1675
25    - cve.2021.34527
26logsource:
27    product: zeek
28    service: dce_rpc
29detection:
30    selection:
31        operation:
32            - 'RpcAsyncInstallPrinterDriverFromPackage' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e
33            - 'RpcAsyncAddPrintProcessor' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c
34            - 'RpcAddPrintProcessor' # "12345678-1234-abcd-ef00-0123456789ab",0x0e
35            - 'RpcAddPrinterDriverEx' # "12345678-1234-abcd-ef00-0123456789ab",0x59
36            - 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09
37            - 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27
38    condition: selection
39fields:
40    - id.orig_h
41    - id.resp_h
42    - id.resp_p
43    - operation
44    - endpoint
45    - named_pipe
46    - uid
47falsepositives:
48    - Legitimate remote alteration of a printer driver.
49level: medium

References

Related rules

to-top