mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-08 17:07:13 +00:00
keyboardcrunch
3196e55d5a
Detect dll drop to spool\drivers\x64\3\old\ or known dlls dropped by POCs.
18 lines
587 B
YAML
18 lines
587 B
YAML
title: CVE-2021-1675 PrintNightmare
|
|
description: Detection of yet another Print Spooler vuln.
|
|
author: keyboardcrunch
|
|
date: 30/06/2021
|
|
modified:
|
|
mitre:
|
|
tactic: Persistence, Defense Evasion, Privilege Escalation
|
|
technique: T1574
|
|
subtechnique:
|
|
operating_system: windows
|
|
query: TgtFilePath RegExp "(?i)C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\([^1|2].*\.dll)" OR TgtFilePath RegExp "(?i)\\(MyExploit|evil|addCube|rev|rev2|main64|mimilib)\.dll$"
|
|
false_positives: null
|
|
tags:
|
|
- CVE-2021-1675
|
|
- PrintNightmare
|
|
references:
|
|
- https://github.com/hhlxf/PrintNightmare
|