itiB
32 lines
895 B
YAML
32 lines
895 B
YAML
|
|
title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
|
|
ruletype: Sigma
|
|
author: Sittikorn S, Nuttakorn T
|
|
date: 2021/07/01
|
|
description: Detects the suspicious file that is created from PoC code against Windows
|
|
Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare),
|
|
CVE-2021-1675 .
|
|
detection:
|
|
SELECTION_1:
|
|
Filename: '*C:\Windows\System32\spool\drivers\x64\\*'
|
|
condition: SELECTION_1
|
|
falsepositives:
|
|
- Unlikely
|
|
fields:
|
|
- Signature
|
|
- Filename
|
|
- ComputerName
|
|
id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
|
|
level: critical
|
|
logsource:
|
|
product: antivirus
|
|
modified: 2021/11/23
|
|
references:
|
|
- https://twitter.com/mvelazco/status/1410291741241102338
|
|
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
|
|
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
|
|
status: stable
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.t1055
|