Date: 09/17/2024
Severity: Medium
Summary
CVE-2021-1675, also known as the "Print Spooler" vulnerability, is a security flaw in Microsoft Windows that affects the Print Spooler service. This vulnerability allows attackers to execute arbitrary code with system-level privileges by exploiting improper validation of file paths. Specifically, it enables an attacker to execute code remotely or gain control over affected systems, potentially leading to full system compromise. The flaw primarily impacts Windows servers and desktops running the Print Spooler service, and its exploitation is facilitated by a specific filename pattern used by the service. Microsoft released patches to address this issue, and users are advised to update their systems to mitigate the risk.
Indicators of Compromise (IOC) List
TargetFilename | 'C:\Windows\System32\spool\drivers\x64\3\old\1\123' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (resourceName = "Windows Security" AND eventtype in ("4663")) AND ObjectName = "C:\Windows\System32\spool\drivers\x64\3\old\1\123" |
Detection Query 2 | ((technologygroup = "EDR") AND ObjectName = "C:\Windows\System32\spool\drivers\x64\3\old\1\123" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml