diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml index dd9c2ac35..62e123578 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml @@ -9,6 +9,7 @@ references: - https://github.com/afwu/PrintNightmare - https://twitter.com/fuzzyf10w/status/1410202370835898371 date: 2021/06/30 +modified: 2021/07/08 tags: - attack.execution - cve.2021-1675 @@ -33,6 +34,7 @@ detection: - '\rev2.dll' - '\main64.dll' - '\mimilib.dll' + - '\mimispool.dll' condition: selection or keywords fields: - PluginDllName diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml index c61ca3df6..9b2fa1744 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -20,6 +20,7 @@ detection: - 'UNIDRV.DLL, kernelbase.dll, ' - ' 123 ' - ' 1234 ' + - 'mimispool' condition: selection and keywords fields: - DriverAdded diff --git a/rules/windows/image_load/win_suspicious_vss_ps_load.yml b/rules/windows/image_load/win_suspicious_vss_ps_load.yml new file mode 100644 index 000000000..0194d8fff --- /dev/null +++ b/rules/windows/image_load/win_suspicious_vss_ps_load.yml @@ -0,0 +1,37 @@ +title: Image Load of VSS_PS.dll by Uncommon Executable +id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 +status: experimental +description: Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint +author: Markus Neis, @markus_neis +date: 2021/07/07 +references: + - 1bd85e1caa1415ebdc8852c91e37bbb7 + - https://twitter.com/am0nsec/status/1412232114980982787 +tags: + - attack.defense_evasion + - attack.impact + - attack.t1490 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + - '\vss_ps.dll' + filter: + Image|endswith: + - '\svchost.exe' + - '\msiexec.exe' + - '\vssvc.exe' + - '\srtasks.exe' + - '\tiworker.exe' + - '\dllhost.exe' + - '\searchindexer.exe' + - 'dismhost.exe' + - 'taskhostw.exe' + - '\clussvc.exe' + Image|contains: 'c:\windows\' + condition: selection and not filter +falsepositives: + - unknown +level: high diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index cb39ee540..076b02414 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -1,7 +1,7 @@ -title: Printnightmare Mimimkatz Driver Name +title: PrinterNightmare Mimimkatz Driver Name id: ba6b9e43-1d45-4d3c-a504-1043a64c8469 status: experimental -description: Detects static QMS 810 driver name used by Mimikatz +description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527 references: - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf @@ -12,15 +12,15 @@ tags: - cve.2021-1675 - cve.2021-34527 date: 2021/07/04 -modified: 2021/07/05 +modified: 2021/07/08 logsource: product: windows category: registry_event detection: selection: - TargetObject|startswith: - -'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' - - 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz' + TargetObject|contains: + - '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' + - '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz' selection_alt: TargetObject|contains|all: - 'legitprinter'