From c5f4dbacd8719f2d19e854875b9bc694babacb59 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 17 Aug 2022 09:28:21 +0200
Subject: [PATCH] fix: wrong temp rule in folder

---
 ...mitigations_defender_load_susp_folder.yaml | 45 -------------------
 1 file changed, 45 deletions(-)
 delete mode 100644 rules/windows/builtin/security_mitigations/sec_mitigations_defender_load_susp_folder.yaml

diff --git a/rules/windows/builtin/security_mitigations/sec_mitigations_defender_load_susp_folder.yaml b/rules/windows/builtin/security_mitigations/sec_mitigations_defender_load_susp_folder.yaml
deleted file mode 100644
index b5deb16bb..000000000
--- a/rules/windows/builtin/security_mitigations/sec_mitigations_defender_load_susp_folder.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: Possible CVE-2021-1675 Print Spooler Exploitation
-id: e98974e6-591e-47f5-bd32-61d6272da6b4
-description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
-author: Florian Roth, KevTheHermit, fuzzyf10w, Tim Shelton
-status: experimental
-level: high
-references:
-    - https://github.com/hhlxf/PrintNightmare
-    - https://github.com/afwu/PrintNightmare
-    - https://twitter.com/fuzzyf10w/status/1410202370835898371
-date: 2021/06/30
-modified: 2022/06/22
-tags:
-    - attack.execution
-    - attack.t1569    
-    - cve.2021.1675
-logsource:
-    product: windows
-    service: printservice-admin
-detection:
-    selection:
-        EventID:
-            - 808   # old id
-            - 4909  # new id
-        ErrorCode:
-            - '0x45A'
-            - '0x7e'
-    keywords:
-        - 'The print spooler failed to load a plug-in module'
-        # default file names used in PoC codes
-        - 'MyExploit.dll'
-        - 'evil.dll'
-        - '\addCube.dll'
-        - '\rev.dll'
-        - '\rev2.dll'
-        - '\main64.dll'
-        - '\mimilib.dll'
-        - '\mimispool.dll'
-    falsepositive:
-        - ' registration timed out' # ex: The print spooler failed to load a plug-in module PrintConfig registration timed out
-    condition: (selection or keywords) and not falsepositive
-fields:
-    - PluginDllName
-falsepositives:
-    - Problems with printer drivers