diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml
new file mode 100644
index 000000000..f2b723b2f
--- /dev/null
+++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml
@@ -0,0 +1,25 @@
+title: CVE-2021-1675 Print Spooler Exploitation
+id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
+description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
+author: Florian Roth
+status: experimental
+level: critical
+references:
+    - https://github.com/hhlxf/PrintNightmare
+    - https://github.com/afwu/PrintNightmare
+date: 2021/06/29
+tags:
+    - attack.execution
+    - cve.2021-1675
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
+    condition: selection
+fields:
+    - ComputerName
+    - TargetFileName
+falsepositives:
+    - Unknown
diff --git a/rules/windows/process_creation/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml
index 80be22f95..68cb6815d 100644
--- a/rules/windows/process_creation/win_non_interactive_powershell.yml
+++ b/rules/windows/process_creation/win_non_interactive_powershell.yml
@@ -24,4 +24,4 @@ detection:
     condition: selection and not filter
 falsepositives:
     - Legitimate programs executing PowerShell scripts
-level: medium
+level: low