Date: 09/16/2024
Severity: Medium
Summary
The "PrintNightmare" vulnerability refers to a critical security flaw in the Windows Print Spooler service, discovered in mid-2021. This vulnerability, tracked as CVE-2021-34527, allows attackers to execute arbitrary code with system privileges, potentially leading to full system compromise. It affects various versions of Windows and can be exploited remotely, making it particularly dangerous. Microsoft released patches to address the issue, but it remains a significant concern for IT security professionals due to its potential for exploitation and the complexity involved in fully securing affected systems.
Indicators of Compromise (IOC) List
Image | '\spoolsv.exe' |
TargetFilename | 'C:\Windows\System32\spool\drivers\x64\3\' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | ((resourcename in ("Sysmon") AND eventtype = "23") AND image = "\spoolsv.exe") AND targetfilename = "C:\Windows\System32\spool\drivers\x64\3\" |
Detection Query 2 | ((technologygroup = "EDR") AND image = "\spoolsv.exe") AND targetfilename = "C:\Windows\System32\spool\drivers\x64\3\" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml