Emerging Threatcriticalstable
Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Sittikorn S, Nuttakorn T, Tim SheltonCreated Thu Jul 01Updated Mon Oct 236fe1719e-ecdf-4caf-bffe-4f501cb0a5612021
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
Antivirus Alert
CategoryAntivirus Alert← raw: antivirus
Detection Logic
Detection Logic2 selectors
detection:
selection:
Filename|contains: ':\Windows\System32\spool\drivers\x64\'
keywords:
- 'File submitted to Symantec' # symantec fp, pending analysis, more generic
condition: selection and not keywordsFalse Positives
Unlikely, or pending PSP analysis
MITRE ATT&CK
Techniques
Other
detection.emerging-threatscve.2021-34527cve.2021-1675
Rule Metadata
Rule ID
6fe1719e-ecdf-4caf-bffe-4f501cb0a561
Status
stable
Level
critical
Type
Emerging Threat
Created
Thu Jul 01
Modified
Mon Oct 23
Author
Path
rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_exploit_cve_2021_34527_print_nightmare.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.t1055detection.emerging-threatscve.2021-34527cve.2021-1675