Merge pull request #1593 from hieuttmmo/master

PrintNightmare Detection using ImageLoad

rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml

@@ -0,0 +1,27 @@
+title: Windows Spooler Service Suspicious Binary Load 
+id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14
+status: experimental
+description: Detect suspicious DLL Load from Spooler Service backup folder 
+references:
+    - https://github.com/hhlxf/PrintNightmare
+author: FPT.EagleEye
+date: 2021/06/29
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1574
+    - cve.2021-1675
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - 'spoolsv.exe'
+        ImageLoaded:
+            - 'Windows\System32\spool\drivers\x64\3\old\*.dll'
+    condition: selection
+falsepositives:
+    - Possible. Requires further testing.
+level: high