Emerging Threathightest

Potential PrintNightmare Exploitation Attempt

Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Bhabesh RajCreated Thu Jul 01Updated Fri Feb 175b2bbc47-dead-4ef7-8908-0cf73fcbecbf2021

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsFile Delete

ProductWindows← raw: windows

CategoryFile Delete← raw: file_delete

Detection Logic

detection:
    selection:
        Image|endswith: '\spoolsv.exe'
        TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion TA0004 · Privilege Escalation

Techniques

T1574 · Hijack Execution Flow

Other

cve.2021-1675detection.emerging-threats

Rule Metadata

Rule ID

5b2bbc47-dead-4ef7-8908-0cf73fcbecbf

Status

test

Level

high

Type

Emerging Threat

Created

Thu Jul 01

Modified

Fri Feb 17

Author

Bhabesh Raj

Path

rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_delete_win_exploit_cve_2021_1675_print_nightmare.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574cve.2021-1675detection.emerging-threats

View on GitHub