From 96ea35fd92a8d5a1fad84b671d3ddb1648a50394 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Wed, 7 Jul 2021 18:21:57 +0200
Subject: [PATCH 1/4] rule: suspicious vss ps load

---
 .../image_load/win_suspicious_vss_ps_load.yml | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 rules/windows/image_load/win_suspicious_vss_ps_load.yml

diff --git a/rules/windows/image_load/win_suspicious_vss_ps_load.yml b/rules/windows/image_load/win_suspicious_vss_ps_load.yml
new file mode 100644
index 000000000..1f8114262
--- /dev/null
+++ b/rules/windows/image_load/win_suspicious_vss_ps_load.yml
@@ -0,0 +1,36 @@
+title: Image Load of vss_ps.dll by uncommon Executable (observed in Shadow Volume Deletion)
+id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70
+status: experimental
+description: Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint
+author: Markus Neis, @markus_neis
+date: 2021/07/07
+references:
+    - 1bd85e1caa1415ebdc8852c91e37bbb7
+    - https://twitter.com/am0nsec/status/1412232114980982787    
+tags:
+    - attack.defense_evasion
+    - attack.impact 
+    - attack.t1490
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        OriginalFileName:
+            - 'VSS_PS.DLL'
+    filter:
+        Image|endswith:
+            - '\svchost.exe'
+            - '\msiexec.exe'
+            - '\vssvc.exe'
+            - '\srtasks.exe'
+            - '\tiworker.exe'
+            - '\dllhost.exe'
+            - '\searchindexer.exe'
+            - 'dismhost.exe'
+            - 'taskhostw.exe'
+        Image|contains: 'c:\windows\'
+    condition: selection and not filter
+falsepositives:
+    - unknown
+level: medium 
\ No newline at end of file

From 79338b2dbda86e28e387c09c2254683310b6aa33 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 8 Jul 2021 08:33:46 +0200
Subject: [PATCH 2/4] fix: title

---
 rules/windows/image_load/win_suspicious_vss_ps_load.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/image_load/win_suspicious_vss_ps_load.yml b/rules/windows/image_load/win_suspicious_vss_ps_load.yml
index 1f8114262..dcd4ea755 100644
--- a/rules/windows/image_load/win_suspicious_vss_ps_load.yml
+++ b/rules/windows/image_load/win_suspicious_vss_ps_load.yml
@@ -1,4 +1,4 @@
-title: Image Load of vss_ps.dll by uncommon Executable (observed in Shadow Volume Deletion)
+title: Image Load of VSS_PS.dll by Uncommon Executable
 id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70
 status: experimental
 description: Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint
@@ -33,4 +33,4 @@ detection:
     condition: selection and not filter
 falsepositives:
     - unknown
-level: medium 
\ No newline at end of file
+level: medium 

From 2055f78780727ed026b78858ce1fae1f0370ba50 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Thu, 8 Jul 2021 09:05:57 +0200
Subject: [PATCH 3/4] refactor: make the rule more usable

---
 rules/windows/image_load/win_suspicious_vss_ps_load.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/windows/image_load/win_suspicious_vss_ps_load.yml b/rules/windows/image_load/win_suspicious_vss_ps_load.yml
index dcd4ea755..0194d8fff 100644
--- a/rules/windows/image_load/win_suspicious_vss_ps_load.yml
+++ b/rules/windows/image_load/win_suspicious_vss_ps_load.yml
@@ -16,8 +16,8 @@ logsource:
     product: windows
 detection:
     selection:
-        OriginalFileName:
-            - 'VSS_PS.DLL'
+        ImageLoaded|endswith:
+            - '\vss_ps.dll'
     filter:
         Image|endswith:
             - '\svchost.exe'
@@ -29,8 +29,9 @@ detection:
             - '\searchindexer.exe'
             - 'dismhost.exe'
             - 'taskhostw.exe'
+            - '\clussvc.exe'
         Image|contains: 'c:\windows\'
     condition: selection and not filter
 falsepositives:
     - unknown
-level: medium 
+level: high 

From f78b35335256dbca1329769641602360689b7591 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Thu, 8 Jul 2021 14:35:51 +0200
Subject: [PATCH 4/4] PrinterNightmare rule updates

---
 .../win_exploit_cve_2021_1675_printspooler.yml       |  2 ++
 ...xploit_cve_2021_1675_printspooler_operational.yml |  1 +
 .../win_registry_mimikatz_printernightmare.yml       | 12 ++++++------
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml
index dd9c2ac35..62e123578 100644
--- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml
+++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml
@@ -9,6 +9,7 @@ references:
     - https://github.com/afwu/PrintNightmare
     - https://twitter.com/fuzzyf10w/status/1410202370835898371
 date: 2021/06/30
+modified: 2021/07/08
 tags:
     - attack.execution
     - cve.2021-1675
@@ -33,6 +34,7 @@ detection:
         - '\rev2.dll'
         - '\main64.dll'
         - '\mimilib.dll'
+        - '\mimispool.dll'
     condition: selection or keywords
 fields:
     - PluginDllName
diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml
index c61ca3df6..9b2fa1744 100644
--- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml
+++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml
@@ -20,6 +20,7 @@ detection:
         - 'UNIDRV.DLL, kernelbase.dll, '
         - ' 123 '
         - ' 1234 '
+        - 'mimispool'
     condition: selection and keywords
 fields:
     - DriverAdded
diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml
index cb39ee540..076b02414 100644
--- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml
+++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml
@@ -1,7 +1,7 @@
-title: Printnightmare Mimimkatz Driver Name 
+title: PrinterNightmare Mimimkatz Driver Name 
 id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
 status: experimental
-description: Detects static QMS 810 driver name used by Mimikatz 
+description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
 references:
   - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
   - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
@@ -12,15 +12,15 @@ tags:
   - cve.2021-1675
   - cve.2021-34527
 date: 2021/07/04
-modified: 2021/07/05
+modified: 2021/07/08
 logsource:
   product: windows
   category: registry_event
 detection:
   selection:
-    TargetObject|startswith:
-      -'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
-      - 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
+    TargetObject|contains:
+      - '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
+      - '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
   selection_alt:
     TargetObject|contains|all:
       - 'legitprinter'