PrinterNightmare Mimikatz Driver Name

Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527

Sigma rule (View on GitHub)

 1title: PrinterNightmare Mimikatz Driver Name
 2id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
 3status: test
 4description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
 5references:
 6    - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
 7    - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
 8    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
 9    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
10    - https://nvd.nist.gov/vuln/detail/cve-2021-34527
11author: Markus Neis, @markus_neis, Florian Roth
12date: 2021/07/04
13modified: 2023/06/12
14tags:
15    - attack.execution
16    - attack.t1204
17    - cve.2021.1675
18    - cve.2021.34527
19logsource:
20    product: windows
21    category: registry_event
22detection:
23    selection:
24        TargetObject|contains:
25            - '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
26            - '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
27    selection_alt:
28        TargetObject|contains|all:
29            - 'legitprinter'
30            - '\Control\Print\Environments\Windows'
31    selection_print:
32        TargetObject|contains:
33            - '\Control\Print\Environments'
34            - '\CurrentVersion\Print\Printers'
35    selection_kiwi:
36        TargetObject|contains:
37            - 'Gentil Kiwi'
38            - 'mimikatz printer'
39            - 'Kiwi Legit Printer'
40    condition: selection or selection_alt or (selection_print and selection_kiwi)
41falsepositives:
42    - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
43level: critical

References

Related rules

to-top