mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
43 lines
1.2 KiB
YAML
43 lines
1.2 KiB
YAML
title: Possible CVE-2021-1675 Print Spooler Exploitation
|
|
id: 4e64668a-4da1-49f5-a8df-9e2d5b866718
|
|
description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
|
|
author: Florian Roth, KevTheHermit, fuzzyf10w
|
|
status: experimental
|
|
level: high
|
|
references:
|
|
- https://github.com/hhlxf/PrintNightmare
|
|
- https://github.com/afwu/PrintNightmare
|
|
- https://twitter.com/fuzzyf10w/status/1410202370835898371
|
|
date: 2021/06/30
|
|
modified: 2021/07/08
|
|
tags:
|
|
- attack.execution
|
|
- cve.2021-1675
|
|
logsource:
|
|
product: windows
|
|
service: printservice-admin
|
|
detection:
|
|
selection:
|
|
EventID:
|
|
- 808 # old id
|
|
- 4909 # new id
|
|
ErrorCode:
|
|
- '0x45A'
|
|
- '0x7e'
|
|
keywords:
|
|
- 'The print spooler failed to load a plug-in module'
|
|
# default file names used in PoC codes
|
|
- 'MyExploit.dll'
|
|
- 'evil.dll'
|
|
- '\addCube.dll'
|
|
- '\rev.dll'
|
|
- '\rev2.dll'
|
|
- '\main64.dll'
|
|
- '\mimilib.dll'
|
|
- '\mimispool.dll'
|
|
condition: selection or keywords
|
|
fields:
|
|
- PluginDllName
|
|
falsepositives:
|
|
- Problems with printer drivers
|