Potential PrintNightmare Exploitation Attempt

 1title: Potential PrintNightmare Exploitation Attempt
 2id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf
 3status: test
 4description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
 5references:
 6    - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
 7    - https://github.com/cube0x0/CVE-2021-1675
 8author: Bhabesh Raj
 9date: 2021-07-01
10modified: 2023-02-17
11tags:
12    - attack.persistence
13    - attack.defense-evasion
14    - attack.privilege-escalation
15    - attack.t1574
16    - cve.2021-1675
17logsource:
18    category: file_delete
19    product: windows
20detection:
21    selection:
22        Image|endswith: '\spoolsv.exe'
23        TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\'
24    condition: selection
25falsepositives:
26    - Unknown
27level: high

References

• hhlxf/PrintNightmare

  

  Contribute to hhlxf/PrintNightmare development by creating an account on GitHub.

  
  Read More

• GitHub - cube0x0/CVE-2021-1675: C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527

  

  C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527 - cube0x0/CVE-2021-1675

  
  Read More

Related rules

• Windows Spooler Service Suspicious Binary Load
• Abuse of Service Permissions to Hide Services Via Set-Service
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• Account Tampering - Suspicious Failed Logon Reasons
• Activity From Anonymous IP Address