From 9e3caf4ceb9a311ad192b61479f0addafe2b2d9a Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Mon, 28 Jun 2021 16:38:34 +0200
Subject: [PATCH 1/3] refactor: non-interactive Powershell to "low"

---
 .../windows/process_creation/win_non_interactive_powershell.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml
index 80be22f95..68cb6815d 100644
--- a/rules/windows/process_creation/win_non_interactive_powershell.yml
+++ b/rules/windows/process_creation/win_non_interactive_powershell.yml
@@ -24,4 +24,4 @@ detection:
     condition: selection and not filter
 falsepositives:
     - Legitimate programs executing PowerShell scripts
-level: medium
+level: low

From b2ac3353dcc926426c04c651236a4ab1befed18b Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Tue, 29 Jun 2021 10:11:08 +0200
Subject: [PATCH 2/3] rule: CVE-2021-1675

---
 .../win_cve_2021_1675_printspooler.yml        | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/windows/file_event/win_cve_2021_1675_printspooler.yml

diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml
new file mode 100644
index 000000000..3b0f1fb72
--- /dev/null
+++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml
@@ -0,0 +1,24 @@
+title: CVE-2021-1675 Print Spooler Exploitation
+id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
+description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
+author: Florian Roth
+status: experimental
+level: critical
+references:
+    - https://github.com/hhlxf/PrintNightmare/
+date: 2021/06/29
+tags:
+    - attack.execution
+    - cve.2021-1675
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
+    condition: selection
+fields:
+    - ComputerName
+    - TargetFileName
+falsepositives:
+    - Unknown

From a27d3d5880e3e5c6b26da068d113cb121ab391c5 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Tue, 29 Jun 2021 12:31:13 +0200
Subject: [PATCH 3/3] docs: add 2nd Github upload

---
 rules/windows/file_event/win_cve_2021_1675_printspooler.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml
index 3b0f1fb72..f2b723b2f 100644
--- a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml
+++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml
@@ -5,7 +5,8 @@ author: Florian Roth
 status: experimental
 level: critical
 references:
-    - https://github.com/hhlxf/PrintNightmare/
+    - https://github.com/hhlxf/PrintNightmare
+    - https://github.com/afwu/PrintNightmare
 date: 2021/06/29
 tags:
     - attack.execution