Tanaka Zakku
40 lines
1.3 KiB
YAML
40 lines
1.3 KiB
YAML
title: Possible CVE-2021-1675 Print Spooler Exploitation
|
|
author: Florian Roth, KevTheHermit, fuzzyf10w
|
|
date: 2021/06/30
|
|
description: Detects events of driver load errors in print service logs that could
|
|
be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 808
|
|
SELECTION_2:
|
|
EventID: 4909
|
|
SELECTION_3:
|
|
ErrorCode: '0x45A'
|
|
SELECTION_4:
|
|
ErrorCode: '0x7e'
|
|
condition: (((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4)) or
|
|
(The print spooler failed to load a plug-in module or MyExploit.dll or evil.dll
|
|
or \addCube.dll or \rev.dll or \rev2.dll or \main64.dll or \mimilib.dll or
|
|
\mimispool.dll))
|
|
falsepositives:
|
|
- Problems with printer drivers
|
|
fields:
|
|
- PluginDllName
|
|
id: 4e64668a-4da1-49f5-a8df-9e2d5b866718
|
|
level: high
|
|
logsource:
|
|
product: windows
|
|
service: printservice-admin
|
|
modified: 2021/07/08
|
|
references:
|
|
- https://github.com/hhlxf/PrintNightmare
|
|
- https://github.com/afwu/PrintNightmare
|
|
- https://twitter.com/fuzzyf10w/status/1410202370835898371
|
|
status: experimental
|
|
tags:
|
|
- attack.execution
|
|
- cve.2021.1675
|
|
yml_filename: win_exploit_cve_2021_1675_printspooler.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
|
|
|