Detectionhightest
Suspicious Printer Driver Empty Manufacturer
Detects a suspicious printer driver installation with an empty Manufacturer value
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Wed Jul 01Updated Thu Aug 17e0813366-0407-449a-9869-a2db1119dc41windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic4 selectors
detection:
selection:
TargetObject|contains|all:
- '\Control\Print\Environments\Windows x64\Drivers'
- '\Manufacturer'
Details: '(Empty)'
filter_cutepdf:
TargetObject|contains: '\CutePDF Writer v4.0\'
filter_vnc:
TargetObject|contains:
- '\VNC Printer (PS)\'
- '\VNC Printer (UD)\'
filter_pdf24:
TargetObject|contains: '\Version-3\PDF24\'
condition: selection and not 1 of filter_*False Positives
Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value
References
MITRE ATT&CK
Techniques
Other
cve.2021-1675
Rule Metadata
Rule ID
e0813366-0407-449a-9869-a2db1119dc41
Status
test
Level
high
Type
Detection
Created
Wed Jul 01
Modified
Thu Aug 17
Path
rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574cve.2021-1675