Merge pull request #1656 from SigmaHQ/rule-devel

rule: suspicious vss ps load / PrinternightMare updates

rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml

@@ -9,6 +9,7 @@ references:
     - https://github.com/afwu/PrintNightmare
     - https://twitter.com/fuzzyf10w/status/1410202370835898371
 date: 2021/06/30
+modified: 2021/07/08
 tags:
     - attack.execution
     - cve.2021-1675
@@ -33,6 +34,7 @@ detection:
         - '\rev2.dll'
         - '\main64.dll'
         - '\mimilib.dll'
+        - '\mimispool.dll'
     condition: selection or keywords
 fields:
     - PluginDllName

rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml

@@ -20,6 +20,7 @@ detection:
         - 'UNIDRV.DLL, kernelbase.dll, '
         - ' 123 '
         - ' 1234 '
+        - 'mimispool'
     condition: selection and keywords
 fields:
     - DriverAdded

rules/windows/image_load/win_suspicious_vss_ps_load.yml

@@ -0,0 +1,37 @@
+title: Image Load of VSS_PS.dll by Uncommon Executable
+id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70
+status: experimental
+description: Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint
+author: Markus Neis, @markus_neis
+date: 2021/07/07
+references:
+    - 1bd85e1caa1415ebdc8852c91e37bbb7
+    - https://twitter.com/am0nsec/status/1412232114980982787    
+tags:
+    - attack.defense_evasion
+    - attack.impact 
+    - attack.t1490
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|endswith:
+            - '\vss_ps.dll'
+    filter:
+        Image|endswith:
+            - '\svchost.exe'
+            - '\msiexec.exe'
+            - '\vssvc.exe'
+            - '\srtasks.exe'
+            - '\tiworker.exe'
+            - '\dllhost.exe'
+            - '\searchindexer.exe'
+            - 'dismhost.exe'
+            - 'taskhostw.exe'
+            - '\clussvc.exe'
+        Image|contains: 'c:\windows\'
+    condition: selection and not filter
+falsepositives:
+    - unknown
+level: high 

rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml

@@ -1,7 +1,7 @@
-title: Printnightmare Mimimkatz Driver Name 
+title: PrinterNightmare Mimimkatz Driver Name 
 id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
 status: experimental
-description: Detects static QMS 810 driver name used by Mimikatz 
+description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
 references:
   - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
   - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
@@ -12,15 +12,15 @@ tags:
   - cve.2021-1675
   - cve.2021-34527
 date: 2021/07/04
-modified: 2021/07/05
+modified: 2021/07/08
 logsource:
   product: windows
   category: registry_event
 detection:
   selection:
-    TargetObject|startswith:
-      -'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
-      - 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
+    TargetObject|contains:
+      - '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
+      - '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
   selection_alt:
     TargetObject|contains|all:
       - 'legitprinter'