CVE-2021-1675 PoC — Windows Print Spooler Remote Code Execution Vulnerability

Source

Associated Vulnerability

Readme

## CarbonBlack Hunting Query for CVE-2021-1675 (PrintNightmare)

#1 Based on Sigma rule on detecting the POC code
```
filemod_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3\\old\\1\\123
```

#2 Based on Sigma rule on detecting the POC code
```
(modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3* OR modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3\\old*) AND parent_cmdline:spoolsv\.exe
```

#3 Based on Sigma rule on detecting the POC code
```
(modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3* OR modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3\\old*) AND process_name:spoolsv\.exe
```

#4 Detecting file events (unsigned), adjust this to your baseline. I did not specify driver path on purpose here since the exploitation and post-exploitation is still a bit unclear. Make sure to adjust this to your baseline (known hash, etc).
```
process_name:spoolsv\.exe AND NOT filemod_publisher_state:FILE_SIGNATURE_STATE_SIGNED
```

#5 Detecting file events (signed by non MS), adjust this to your baseline
```
process_name:spoolsv\.exe AND filemod_publisher_state:FILE_SIGNATURE_STATE_SIGNED AND NOT filemod_publisher:"Microsoft Windows*"
```

#6 Based on https://github.com/LaresLLC/CVE-2021-1675
```
parent_name:spoolsv\.exe AND childproc_name:werfault\.exe
```

File Snapshot

 [4.0K]  /data/pocs/9e12fbf76db71711c15eedd1b1207feb0ca6c862
└── [1.3K]  README.md

0 directories, 1 file

Remarks