frack113
25 lines
817 B
YAML
25 lines
817 B
YAML
title: Suspicious Printer Driver Empty Manufacturer
|
|
id: e0813366-0407-449a-9869-a2db1119dc41
|
|
status: experimental
|
|
description: Detects a suspicious printer driver installation with an empty Manufacturer value
|
|
references:
|
|
- https://twitter.com/SBousseaden/status/1410545674773467140
|
|
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
|
|
author: Florian Roth
|
|
date: 2020/07/01
|
|
tags:
|
|
- attack.privilege_escalation
|
|
logsource:
|
|
category: registry_event
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
TargetObject|contains|all:
|
|
- '\Control\Print\Environments\Windows x64\Drivers'
|
|
- '\Manufacturer'
|
|
Details: '(Empty)'
|
|
condition: selection
|
|
falsepositives:
|
|
- Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value
|
|
level: high
|