From 3196e55d5a8ff2dd11d5956f2f0eb90f7c0cdd7e Mon Sep 17 00:00:00 2001
From: keyboardcrunch <40863898+keyboardcrunch@users.noreply.github.com>
Date: Wed, 30 Jun 2021 15:52:46 +0000
Subject: [PATCH] Create PrintNightmare.yml

Detect dll drop to spool\drivers\x64\3\old\ or known dlls dropped by POCs.
---
 queries/windows/PrintNightmare.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 queries/windows/PrintNightmare.yml

diff --git a/queries/windows/PrintNightmare.yml b/queries/windows/PrintNightmare.yml
new file mode 100644
index 0000000..d543300
--- /dev/null
+++ b/queries/windows/PrintNightmare.yml
@@ -0,0 +1,17 @@
+title: CVE-2021-1675 PrintNightmare
+description: Detection of yet another Print Spooler vuln.
+author: keyboardcrunch
+date: 30/06/2021
+modified:
+mitre: 
+   tactic: Persistence, Defense Evasion, Privilege Escalation
+   technique: T1574
+   subtechnique: 
+operating_system: windows
+query: TgtFilePath RegExp "(?i)C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\([^1|2].*\.dll)" OR TgtFilePath RegExp "(?i)\\(MyExploit|evil|addCube|rev|rev2|main64|mimilib)\.dll$"
+false_positives: null
+tags:
+   - CVE-2021-1675
+   - PrintNightmare
+references:
+   - https://github.com/hhlxf/PrintNightmare