mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
40 lines
1.5 KiB
YAML
40 lines
1.5 KiB
YAML
title: PrinterNightmare Mimimkatz Driver Name
|
|
id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
|
|
status: experimental
|
|
description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
|
|
references:
|
|
- https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
|
|
- https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
|
|
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
|
|
author: Markus Neis, @markus_neis, Florian Roth
|
|
tags:
|
|
- attack.execution
|
|
- cve.2021-1675
|
|
- cve.2021-34527
|
|
date: 2021/07/04
|
|
modified: 2021/07/28
|
|
logsource:
|
|
product: windows
|
|
category: registry_event
|
|
detection:
|
|
selection:
|
|
TargetObject|contains:
|
|
- '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
|
|
- '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
|
|
selection_alt:
|
|
TargetObject|contains|all:
|
|
- 'legitprinter'
|
|
- '\Control\Print\Environments\Windows'
|
|
selection_print:
|
|
TargetObject|contains:
|
|
- '\Control\Print\Environments'
|
|
- '\CurrentVersion\Print\Printers'
|
|
selection_kiwi:
|
|
TargetObject|contains:
|
|
- 'Gentil Kiwi'
|
|
- 'mimikatz printer'
|
|
- 'Kiwi Legit Printer'
|
|
condition: selection or selection_alt or (selection_print and selection_kiwi)
|
|
falsepositives:
|
|
- Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
|
|
level: critical |