From 579220de6f7fa3b02ba76278635a22a89dc8e339 Mon Sep 17 00:00:00 2001
From: Tran Trung Hieu <hieutt35@fpt.com.vn>
Date: Wed, 30 Jun 2021 20:30:22 +0700
Subject: [PATCH] Detect the PrintNighmare exploit using ImageLoad

---
 .../sysmon_cve_2021_1675_print_nightmare.yml  | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml

diff --git a/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml b/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml
new file mode 100644
index 00000000..7d57896e
--- /dev/null
+++ b/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml
@@ -0,0 +1,27 @@
+title: Windows Spooler Service Suspicious Binary Load 
+id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14
+status: experimental
+description: Detect suspicious DLL Load from Spooler Service backup folder 
+references:
+    - https://github.com/hhlxf/PrintNightmare
+author: FPT.EagleEye
+date: 2021/06/29
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1574
+    - cve.2021-1675
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - 'spoolsv.exe'
+        ImageLoaded:
+            - 'Windows\System32\spool\drivers\x64\3\old\*.dll'
+    condition: selection
+falsepositives:
+    - Possible. Requires further testing.
+level: high