Potential PrintNightmare Exploitation Attempt

Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675

Sigma rule (View on GitHub)

 1title: Potential PrintNightmare Exploitation Attempt
 2id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf
 3status: test
 4description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
 5references:
 6    - https://github.com/hhlxf/PrintNightmare
 7    - https://github.com/cube0x0/CVE-2021-1675
 8author: Bhabesh Raj
 9date: 2021/07/01
10modified: 2023/02/17
11tags:
12    - attack.persistence
13    - attack.defense_evasion
14    - attack.privilege_escalation
15    - attack.t1574
16    - cve.2021.1675
17logsource:
18    category: file_delete
19    product: windows
20detection:
21    selection:
22        Image|endswith: '\spoolsv.exe'
23        TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\'
24    condition: selection
25falsepositives:
26    - Unknown
27level: high

References

Related rules

to-top