Suspicious Printer Driver Empty Manufacturer
Detects a suspicious printer driver installation with an empty Manufacturer value
Sigma rule (View on GitHub)
1title: Suspicious Printer Driver Empty Manufacturer
2id: e0813366-0407-449a-9869-a2db1119dc41
3status: test
4description: Detects a suspicious printer driver installation with an empty Manufacturer value
5references:
6 - https://twitter.com/SBousseaden/status/1410545674773467140
7author: Florian Roth (Nextron Systems)
8date: 2020-07-01
9modified: 2023-08-17
10tags:
11 - attack.persistence
12 - attack.defense-evasion
13 - attack.privilege-escalation
14 - attack.t1574
15 - cve.2021-1675
16logsource:
17 category: registry_set
18 product: windows
19detection:
20 selection:
21 TargetObject|contains|all:
22 - '\Control\Print\Environments\Windows x64\Drivers'
23 - '\Manufacturer'
24 Details: '(Empty)'
25 filter_cutepdf:
26 TargetObject|contains: '\CutePDF Writer v4.0\'
27 filter_vnc:
28 TargetObject|contains:
29 - '\VNC Printer (PS)\'
30 - '\VNC Printer (UD)\'
31 filter_pdf24:
32 TargetObject|contains: '\Version-3\PDF24\'
33 condition: selection and not 1 of filter_*
34falsepositives:
35 - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value
36level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Potential PrintNightmare Exploitation Attempt
- Windows Spooler Service Suspicious Binary Load
- DLL Execution Via Register-cimprovider.exe
- Exploiting SetupComplete.cmd CVE-2019-1378
- Potential Initial Access via DLL Search Order Hijacking