Suspicious Printer Driver Empty Manufacturer
Detects a suspicious printer driver installation with an empty Manufacturer value
Sigma rule (View on GitHub)
1title: Suspicious Printer Driver Empty Manufacturer
2id: e0813366-0407-449a-9869-a2db1119dc41
3status: test
4description: Detects a suspicious printer driver installation with an empty Manufacturer value
5references:
6 - https://twitter.com/SBousseaden/status/1410545674773467140
7author: Florian Roth (Nextron Systems)
8date: 2020-07-01
9modified: 2023-08-17
10tags:
11 - attack.privilege-escalation
12 - attack.t1574
13 - cve.2021-1675
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|contains|all:
20 - '\Control\Print\Environments\Windows x64\Drivers'
21 - '\Manufacturer'
22 Details: '(Empty)'
23 filter_cutepdf:
24 TargetObject|contains: '\CutePDF Writer v4.0\'
25 filter_vnc:
26 TargetObject|contains:
27 - '\VNC Printer (PS)\'
28 - '\VNC Printer (UD)\'
29 filter_pdf24:
30 TargetObject|contains: '\Version-3\PDF24\'
31 condition: selection and not 1 of filter_*
32falsepositives:
33 - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value
34level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Exploiting SetupComplete.cmd CVE-2019-1378
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- APT PRIVATELOG Image Load Pattern
- AWS Glue Development Endpoint Activity