Merge pull request #1588 from SigmaHQ/rule-devel

CVE-2021-1675 Print Spooler Exploitation

rules/windows/file_event/win_cve_2021_1675_printspooler.yml

@@ -0,0 +1,25 @@
+title: CVE-2021-1675 Print Spooler Exploitation
+id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
+description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
+author: Florian Roth
+status: experimental
+level: critical
+references:
+    - https://github.com/hhlxf/PrintNightmare
+    - https://github.com/afwu/PrintNightmare
+date: 2021/06/29
+tags:
+    - attack.execution
+    - cve.2021-1675
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
+    condition: selection
+fields:
+    - ComputerName
+    - TargetFileName
+falsepositives:
+    - Unknown

rules/windows/process_creation/win_non_interactive_powershell.yml

@@ -24,4 +24,4 @@ detection:
     condition: selection and not filter
 falsepositives:
     - Legitimate programs executing PowerShell scripts
-level: medium
+level: low