From defcf7f8086b0ef53a307f059bd5ba18282ec09d Mon Sep 17 00:00:00 2001
From: INIT_6 <init6@init6.me>
Date: Fri, 2 Jul 2021 10:58:14 -0500
Subject: [PATCH] Added new Print Spooler exploitation detection method

---
 ...it_cve_2021_1675_printspooler_Security.yml | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml

diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml
new file mode 100644
index 000000000..7e423f647
--- /dev/null
+++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml
@@ -0,0 +1,25 @@
+title: CVE-2021-1675 Print Spooler Exploitation
+id: 8fe1c584-ee61-444b-be21-e9054b229694
+description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
+author: INIT_6
+status: experimental
+level: critical
+references:
+    - https://twitter.com/INIT_3/status/1410662463641731075
+date: 2021/07/02
+tags:
+    - attack.execution
+    - cve.2021-1675
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: '5145'
+        ShareName: \\*\IPC$
+        RelativeTargetName: 'spoolss'
+        AccessMask: '0x3'
+        ObjectType: 'File'
+    condition: selection
+falsepositives:
+    - nothing observed so far