Potential PrintNightmare Exploitation Attempt
Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
Sigma rule (View on GitHub)
1title: Potential PrintNightmare Exploitation Attempt
2id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf
3status: test
4description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
5references:
6 - https://github.com/hhlxf/PrintNightmare
7 - https://github.com/cube0x0/CVE-2021-1675
8author: Bhabesh Raj
9date: 2021/07/01
10modified: 2023/02/17
11tags:
12 - attack.persistence
13 - attack.defense_evasion
14 - attack.privilege_escalation
15 - attack.t1574
16 - cve.2021.1675
17logsource:
18 category: file_delete
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\spoolsv.exe'
23 TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
Related rules
- Windows Spooler Service Suspicious Binary Load
- Service Security Descriptor Tampering Via Sc.EXE
- PUA - Process Hacker Execution
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures