Suspicious Printer Driver Empty Manufacturer
Detects a suspicious printer driver installation with an empty Manufacturer value
Sigma rule (View on GitHub)
1title: Suspicious Printer Driver Empty Manufacturer
2id: e0813366-0407-449a-9869-a2db1119dc41
3status: test
4description: Detects a suspicious printer driver installation with an empty Manufacturer value
5references:
6 - https://twitter.com/SBousseaden/status/1410545674773467140
7author: Florian Roth (Nextron Systems)
8date: 2020-07-01
9modified: 2023-08-17
10tags:
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.execution
14 - attack.stealth
15 - attack.t1574
16 - cve.2021-1675
17logsource:
18 category: registry_set
19 product: windows
20detection:
21 selection:
22 TargetObject|contains|all:
23 - '\Control\Print\Environments\Windows x64\Drivers'
24 - '\Manufacturer'
25 Details: '(Empty)'
26 filter_cutepdf:
27 TargetObject|contains: '\CutePDF Writer v4.0\'
28 filter_vnc:
29 TargetObject|contains:
30 - '\VNC Printer (PS)\'
31 - '\VNC Printer (UD)\'
32 filter_pdf24:
33 TargetObject|contains: '\Version-3\PDF24\'
34 condition: selection and not 1 of filter_*
35falsepositives:
36 - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value
37level: high
References
Related rules
- Potential PrintNightmare Exploitation Attempt
- Windows Spooler Service Suspicious Binary Load
- DLL Execution Via Register-cimprovider.exe
- Exploiting SetupComplete.cmd CVE-2019-1378
- Potential Initial Access via DLL Search Order Hijacking