PrinterNightmare Mimikatz Driver Name

calendar Jun 15, 2023 · attack.execution attack.t1204 cve.2021.1675 cve.2021.34527  ·
Share on: linkedin copy

Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527

Sigma rule (View on GitHub)

 1title: PrinterNightmare Mimikatz Driver Name
 2id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
 3status: test
 4description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
 5references:
 6    - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
 7    - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
 8    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
 9    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
10    - https://nvd.nist.gov/vuln/detail/cve-2021-34527
11author: Markus Neis, @markus_neis, Florian Roth
12date: 2021/07/04
13modified: 2023/06/12
14tags:
15    - attack.execution
16    - attack.t1204
17    - cve.2021.1675
18    - cve.2021.34527
19logsource:
20    product: windows
21    category: registry_event
22detection:
23    selection:
24        TargetObject|contains:
25            - '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
26            - '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
27    selection_alt:
28        TargetObject|contains|all:
29            - 'legitprinter'
30            - '\Control\Print\Environments\Windows'
31    selection_print:
32        TargetObject|contains:
33            - '\Control\Print\Environments'
34            - '\CurrentVersion\Print\Printers'
35    selection_kiwi:
36        TargetObject|contains:
37            - 'Gentil Kiwi'
38            - 'mimikatz printer'
39            - 'Kiwi Legit Printer'
40    condition: selection or selection_alt or (selection_print and selection_kiwi)
41falsepositives:
42    - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
43level: critical

References

  • [new] mimikatz misc::printnightmare little POC · gentilkiwi/mimikatz@c212760

    A little tool to play with Windows security. Contribute to gentilkiwi/mimikatz development by creating an account on GitHub.


    Read More

  • %PDF-1.6 %âãÏÓ 41 0 obj endobj 55 0 obj /Filter/FlateDecode/ID[ ]/Index[41 20]/Info 40 0 R/Length 74/Prev 180217/Root 42 0 R/Size 61/Type/XRef/W[1 2 1]>>stream hÞbbd``b`š$ìA,më.�`ý"N€ˆ^ ÁÒb=...


    Read More

  • [MS-RPRN]: DRIVER_INFO and RPC_DRIVER_INFO Members

    This section describes members commonly used in DRIVER_INFO (section 2.2.1.5) and RPC_DRIVER_INFO (section 2.2.1.3.1)


    Read More

  • NVD - cve-2021-1675

    CVE-2021-1675 Detail Modified This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided. ...


    Read More

  • NVD - cve-2021-34527

    CVE-2021-34527 Detail Description A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully ex...


    Read More

Related rules

to-top