PrinterNightmare Mimikatz Driver Name

calendar Aug 12, 2024 · attack.execution attack.t1204 cve.2021-1675 cve.2021-34527  ·
Share on: linkedin copy

Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527

Sigma rule (View on GitHub)

 1title: PrinterNightmare Mimikatz Driver Name
 2id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
 3status: test
 4description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
 5references:
 6    - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
 7    - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
 8    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
 9    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
10    - https://nvd.nist.gov/vuln/detail/cve-2021-34527
11author: Markus Neis, @markus_neis, Florian Roth
12date: 2021-07-04
13modified: 2023-06-12
14tags:
15    - attack.execution
16    - attack.t1204
17    - cve.2021-1675
18    - cve.2021-34527
19logsource:
20    product: windows
21    category: registry_event
22detection:
23    selection:
24        TargetObject|contains:
25            - '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
26            - '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
27    selection_alt:
28        TargetObject|contains|all:
29            - 'legitprinter'
30            - '\Control\Print\Environments\Windows'
31    selection_print:
32        TargetObject|contains:
33            - '\Control\Print\Environments'
34            - '\CurrentVersion\Print\Printers'
35    selection_kiwi:
36        TargetObject|contains:
37            - 'Gentil Kiwi'
38            - 'mimikatz printer'
39            - 'Kiwi Legit Printer'
40    condition: selection or selection_alt or (selection_print and selection_kiwi)
41falsepositives:
42    - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
43level: critical

References

  • [new] mimikatz misc::printnightmare little POC · gentilkiwi/mimikatz@c212760

    A little tool to play with Windows security. Contribute to gentilkiwi/mimikatz development by creating an account on GitHub.


    Read More

  • %PDF-1.6 %âãÏÓ 41 0 obj endobj 55 0 obj /Filter/FlateDecode/ID[ ]/Index[41 20]/Info 40 0 R/Length 74/Prev 180217/Root 42 0 R/Size 61/Type/XRef/W[1 2 1]>>stream hÞbbd``b`š$ìA,më.�`ý"N€ˆ^ ÁÒb=...


    Read More

  • [MS-RPRN]: DRIVER_INFO and RPC_DRIVER_INFO Members

    This section describes members commonly used in DRIVER_INFO (section 2.2.1.5) and RPC_DRIVER_INFO (section 2.2.1.3.1)


    Read More

  • NVD - cve-2021-1675

    CVE-2021-1675 Detail Description Windows Print Spooler Remote Code Execution Vulnerability Metrics   NVD enrichment efforts reference publicly available information to associate vector strings. CVS...


    Read More

  • NVD - cve-2021-34527

    CVE-2021-34527 Detail Description A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully ex...


    Read More

Related rules

to-top