SigmaHQ/rules/windows/malware/av_printernightmare_cve_2021_34527.yml

title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
status: stable
description: Detects the suspicius file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
references:
    - https://twitter.com/mvelazco/status/1410291741241102338
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
author: Sittikorn S, Nuttakorn T
date: 2021/07/01
tag:
    - attack.privilege_escalation
    - attack.t1055
logsource:
    product: antivirus
detection:
    selection:
        FileName|contains: 'C:\Windows\System32\spool\drivers\x64\'
    condition: selection
fields:
    - Signature
    - FileName
    - ComputerName
falsepositives:
    - Unlikely
level: critical