Emerging Threathightest
Possible CVE-2021-1675 Print Spooler Exploitation
Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim SheltonCreated Wed Jun 30Updated Tue Nov 154e64668a-4da1-49f5-a8df-9e2d5b8667182021
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
Windowsprintservice-admin
ProductWindows← raw: windows
Serviceprintservice-admin← raw: printservice-admin
Detection Logic
Detection Logic3 selectors
detection:
selection:
EventID: 808
ErrorCode:
- '0x45A'
- '0x7e'
keywords:
- 'The print spooler failed to load a plug-in module'
# default file names used in PoC codes
- 'MyExploit.dll'
- 'evil.dll'
- '\addCube.dll'
- '\rev.dll'
- '\rev2.dll'
- '\main64.dll'
- '\mimilib.dll'
- '\mimispool.dll'
falsepositive:
- ' registration timed out' # ex: The print spooler failed to load a plug-in module PrintConfig registration timed out
condition: (selection or keywords) and not falsepositiveFalse Positives
Problems with printer drivers
MITRE ATT&CK
Tactics
Techniques
Other
cve.2021-1675detection.emerging-threats
Rule Metadata
Rule ID
4e64668a-4da1-49f5-a8df-9e2d5b866718
Status
test
Level
high
Type
Emerging Threat
Created
Wed Jun 30
Modified
Tue Nov 15
Path
rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml
Raw Tags
attack.executionattack.t1569cve.2021-1675detection.emerging-threats