Emerging Threatcriticaltest
PrinterNightmare Mimikatz Driver Name
Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Markus Neis, Florian Roth (Nextron Systems)Created Sun Jul 04Updated Mon Jun 12ba6b9e43-1d45-4d3c-a504-1043a64c84692021
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsRegistry Event
ProductWindows← raw: windows
CategoryRegistry Event← raw: registry_event
Events for Windows Registry modifications including key creation, modification, and deletion.
Detection Logic
Detection Logic4 selectors
detection:
selection:
TargetObject|contains:
- '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
- '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
selection_alt:
TargetObject|contains|all:
- 'legitprinter'
- '\Control\Print\Environments\Windows'
selection_print:
TargetObject|contains:
- '\Control\Print\Environments'
- '\CurrentVersion\Print\Printers'
selection_kiwi:
TargetObject|contains:
- 'Gentil Kiwi'
- 'mimikatz printer'
- 'Kiwi Legit Printer'
condition: selection or selection_alt or (selection_print and selection_kiwi)False Positives
Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
MITRE ATT&CK
Tactics
Techniques
Other
cve.2021-1675cve.2021-34527detection.emerging-threats
Rule Metadata
Rule ID
ba6b9e43-1d45-4d3c-a504-1043a64c8469
Status
test
Level
critical
Type
Emerging Threat
Created
Sun Jul 04
Modified
Mon Jun 12
Path
rules-emerging-threats/2021/Exploits/CVE-2021-1675/registry_event_cve_2021_1675_mimikatz_printernightmare_drivers.yml
Raw Tags
attack.executionattack.t1204cve.2021-1675cve.2021-34527detection.emerging-threats