Emerging Threatcriticaltest

CVE-2021-1675 Print Spooler Exploitation Filename Pattern

Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Tue Jun 29Updated Sun Dec 252131cfb3-8c12-45e8-8fa0-31f5924e9f072021

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0002 · Execution TA0004 · Privilege Escalation TA0042 · Resource Development

Techniques

T1587 · Develop Capabilities

Other

cve.2021-1675detection.emerging-threats

Rule Metadata

Rule ID

2131cfb3-8c12-45e8-8fa0-31f5924e9f07

Status

test

Level

critical

Type

Emerging Threat

Created

Tue Jun 29

Modified

Sun Dec 25

Author

Florian Roth (Nextron Systems)

Path

rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_exploit_cve_2021_1675_printspooler.yml

Raw Tags

attack.executionattack.privilege-escalationattack.resource-developmentattack.t1587cve.2021-1675detection.emerging-threats

View on GitHub