Emerging Threatmediumstable
Possible PrintNightmare Print Driver Install - CVE-2021-1675
Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Created Mon Aug 23Updated Mon Nov 037b33baef-2a75-4ca3-9da4-34f9a15382d82021
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
Zeek (Bro)dce_rpc
ProductZeek (Bro)← raw: zeek
Servicedce_rpc← raw: dce_rpc
Detection Logic
Detection Logic1 selector
detection:
selection:
operation:
- 'RpcAsyncInstallPrinterDriverFromPackage' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e
- 'RpcAsyncAddPrintProcessor' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c
- 'RpcAddPrintProcessor' # "12345678-1234-abcd-ef00-0123456789ab",0x0e
- 'RpcAddPrinterDriverEx' # "12345678-1234-abcd-ef00-0123456789ab",0x59
- 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09
- 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27
condition: selectionFalse Positives
Legitimate remote alteration of a printer driver.
MITRE ATT&CK
Tactics
Other
cve.2021-1678cve.2021-1675cve.2021-34527detection.emerging-threats
Rule Metadata
Rule ID
7b33baef-2a75-4ca3-9da4-34f9a15382d8
Status
stable
Level
medium
Type
Emerging Threat
Created
Mon Aug 23
Modified
Mon Nov 03
Path
rules-emerging-threats/2021/Exploits/CVE-2021-1675/zeek_dce_rpc_exploit_cve_2021_1675_printnightmare_print_driver_install.yml
Raw Tags
attack.executioncve.2021-1678cve.2021-1675cve.2021-34527detection.emerging-threats