关联漏洞
标题:
Microsoft Windows Print Spooler Components 安全漏洞
(CVE-2021-1675)
描述:Microsoft Windows Print Spooler Components是美国微软(Microsoft)公司的一个打印后台处理程序组件。 Microsoft Windows Print Spooler Components存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for AR
介绍
## CarbonBlack Hunting Query for CVE-2021-1675 (PrintNightmare)
#1 Based on Sigma rule on detecting the POC code
```
filemod_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3\\old\\1\\123
```
#2 Based on Sigma rule on detecting the POC code
```
(modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3* OR modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3\\old*) AND parent_cmdline:spoolsv\.exe
```
#3 Based on Sigma rule on detecting the POC code
```
(modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3* OR modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3\\old*) AND process_name:spoolsv\.exe
```
#4 Detecting file events (unsigned), adjust this to your baseline. I did not specify driver path on purpose here since the exploitation and post-exploitation is still a bit unclear. Make sure to adjust this to your baseline (known hash, etc).
```
process_name:spoolsv\.exe AND NOT filemod_publisher_state:FILE_SIGNATURE_STATE_SIGNED
```
#5 Detecting file events (signed by non MS), adjust this to your baseline
```
process_name:spoolsv\.exe AND filemod_publisher_state:FILE_SIGNATURE_STATE_SIGNED AND NOT filemod_publisher:"Microsoft Windows*"
```
#6 Based on https://github.com/LaresLLC/CVE-2021-1675
```
parent_name:spoolsv\.exe AND childproc_name:werfault\.exe
```
文件快照
[4.0K] /data/pocs/9e12fbf76db71711c15eedd1b1207feb0ca6c862
└── [1.3K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。