LoFP / alerts on legitimate printer drivers that do not set any more details in the manufacturer value

Techniques

t1574

Sample rules

Suspicious Printer Driver Empty Manufacturer

source: sigma
technicques:
- t1574

Description

Detects a suspicious printer driver installation with an empty Manufacturer value

Detection logic

condition: selection and not 1 of filter_*
filter_cutepdf:
  TargetObject|contains: \CutePDF Writer v4.0\
filter_pdf24:
  TargetObject|contains: \Version-3\PDF24\
filter_vnc:
  TargetObject|contains:
  - \VNC Printer (PS)\
  - \VNC Printer (UD)\
selection:
  Details: (Empty)
  TargetObject|contains|all:
  - \Control\Print\Environments\Windows x64\Drivers
  - \Manufacturer