security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2816 from redsand/fp_antivirus_symantec_file_print_driver

Browse Source 
Filtering of symantec submission for analysis
This commit is contained in:
Florian Roth
2022-03-16 22:29:00 +01:00
committed by GitHub
parent 6d6e69b672 c58f3d0351
commit c4f6fedb46
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/application/antivirus/av_printernightmare_cve_2021_34527.yml
+6 -4
View File
@@ -6,9 +6,9 @@ references:
- https://twitter.com/mvelazco/status/1410291741241102338
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
author: Sittikorn S, Nuttakorn T
author: Sittikorn S, Nuttakorn T, Tim Shelton
date: 2021/07/01
modified: 2021/11/23
modified: 2022/03/15
tags:
- attack.privilege_escalation
- attack.t1055
@@ -17,11 +17,13 @@ logsource:
detection:
selection:
Filename|contains: 'C:\Windows\System32\spool\drivers\x64\'
condition: selection
keywords:
- 'File submitted to Symantec for analysis' # symantec fp, pending analysis
condition: selection and not keywords
fields:
- Signature
- Filename
- ComputerName
falsepositives:
- Unlikely
- Unlikely, or pending PSP analysis
level: critical