security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a
blue-team-tools/rules/windows/image_load/image_load_spoolsv_dll_load.yml
T
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2023-10-17 14:35:26 +02:00

32 lines
909 B
YAML
Raw Blame History

title: Windows Spooler Service Suspicious Binary Load
id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14
status: test
description: Detect DLL Load from Spooler Service backup folder
references:
- https://github.com/hhlxf/PrintNightmare
- https://github.com/ly4k/SpoolFool
author: FPT.EagleEye, Thomas Patzke (improvements)
date: 2021/06/29
modified: 2022/06/02
tags:
- attack.persistence
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1574
- cve.2021.1675
- cve.2021.34527
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\spoolsv.exe'
ImageLoaded|contains:
- '\Windows\System32\spool\drivers\x64\3\'
- '\Windows\System32\spool\drivers\x64\4\'
ImageLoaded|endswith: '.dll'
condition: selection
falsepositives:
- Loading of legitimate driver
level: informational
Reference in New Issue View Git Blame Copy Permalink