Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 17:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create PrintNightmare.yml

Browse Source 
Detect dll drop to spool\drivers\x64\3\old\ or known dlls dropped by POCs.
This commit is contained in:
keyboardcrunch
2021-06-30 15:52:46 +00:00
committed by GitHub
parent e1fdca6dfa
commit 3196e55d5a
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/windows/PrintNightmare.yml
+17
View File
@@ -0,0 +1,17 @@
title: CVE-2021-1675 PrintNightmare
description: Detection of yet another Print Spooler vuln.
author: keyboardcrunch
date: 30/06/2021
modified:
mitre:
tactic: Persistence, Defense Evasion, Privilege Escalation
technique: T1574
subtechnique:
operating_system: windows
query: TgtFilePath RegExp "(?i)C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\([^1|2].*\.dll)" OR TgtFilePath RegExp "(?i)\\(MyExploit|evil|addCube|rev|rev2|main64|mimilib)\.dll$"
false_positives: null
tags:
- CVE-2021-1675
- PrintNightmare
references:
- https://github.com/hhlxf/PrintNightmare