CVE2021

CVE-2021-1675

9Rules

20References

1Folders

2025-11-03Latest

Summary

CVE-2021-1675 is tracked here through 9 Sigma detections for exploitation attempts and related post-exploitation behavior observed in 2021. Coverage centers on antivirus, windows / file_delete, windows / file_event +3.

Related Detections

Search this threat

Emerging Threatmediumstable

Possible PrintNightmare Print Driver Install - CVE-2021-1675

Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.

Zeek (Bro)dce_rpc

TA0002 · Executioncve.2021-1678cve.2021-1675cve.2021-34527+1

Mon Aug 232021

Emerging Threatcriticalstable

Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection

Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .

Antivirus Alert

TA0005 · StealthTA0004 · Privilege EscalationT1055 · Process Injectiondetection.emerging-threats+2

Sittikorn S+2Thu Jul 012021

Emerging Threatcriticaltest

PrinterNightmare Mimikatz Driver Name

Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527

WindowsRegistry Event

TA0002 · ExecutionT1204 · User Executioncve.2021-1675cve.2021-34527+1

Markus Neis+1Sun Jul 042021

Emerging Threathightest

Potential PrintNightmare Exploitation Attempt

Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675

WindowsFile Delete

TA0003 · PersistenceTA0005 · StealthTA0004 · Privilege EscalationT1574 · Hijack Execution Flow+2

Bhabesh RajThu Jul 012021

Emerging Threatcriticaltest

CVE-2021-1675 Print Spooler Exploitation Filename Pattern

Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675

WindowsFile Event

TA0002 · ExecutionTA0004 · Privilege EscalationTA0042 · Resource DevelopmentT1587 · Develop Capabilities+2

Florian Roth (Nextron Systems)Tue Jun 292021

Emerging Threathightest

Possible CVE-2021-1675 Print Spooler Exploitation

Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675

Windowsprintservice-admin

TA0002 · ExecutionT1569 · System Servicescve.2021-1675detection.emerging-threats

Florian Roth (Nextron Systems)+3Wed Jun 302021

Emerging Threatcriticaltest

CVE-2021-1675 Print Spooler Exploitation

Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675

Windowsprintservice-operational

TA0002 · ExecutionT1569 · System Servicescve.2021-1675detection.emerging-threats

Florian Roth (Nextron Systems)Thu Jul 012021

Emerging Threatcriticaltest

CVE-2021-1675 Print Spooler Exploitation IPC Access

Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527

Windowssecurity

TA0002 · ExecutionT1569 · System Servicescve.2021-1675cve.2021-34527+1

INIT_6Fri Jul 022021

Emerging Threatinformationaltest

Windows Spooler Service Suspicious Binary Load

Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare).

WindowsImage Load (DLL)

TA0003 · PersistenceTA0005 · StealthTA0004 · Privilege EscalationT1574 · Hijack Execution Flow+3

FPT.EagleEye+1Tue Jun 292021