Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Possible PrintNightmare Print Driver Install - CVE-2021-1675

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Possible PrintNightmare Print Driver Install - CVE-2021-1675

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Possible PrintNightmare Print Driver Install - CVE-2021-1675
id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8
related:
    - id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
      type: derived
status: stable
description: |
    Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).
    The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29
    - https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
    - https://github.com/corelight/CVE-2021-1675
    - https://old.zeek.org/zeekweek2019/slides/bzar.pdf
    - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
author: '@neu5ron (Nate Guagenti)'
date: 2021-08-23
modified: 2025-11-03
tags:
    - attack.execution
    - cve.2021-1678
    - cve.2021-1675
    - cve.2021-34527
    - detection.emerging-threats
logsource:
    product: zeek
    service: dce_rpc
detection:
    selection:
        operation:
            - 'RpcAsyncInstallPrinterDriverFromPackage' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e
            - 'RpcAsyncAddPrintProcessor' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c
            - 'RpcAddPrintProcessor' # "12345678-1234-abcd-ef00-0123456789ab",0x0e
            - 'RpcAddPrinterDriverEx' # "12345678-1234-abcd-ef00-0123456789ab",0x59
            - 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09
            - 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27
    condition: selection
falsepositives:
    - Legitimate remote alteration of a printer driver.
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2021/Exploits/CVE-2021-1675/zeek_dce_rpc_exploit_cve_2021_1675_printnightmare_print_driver_install.yml