LoFP LoFP / legitimate installation of printer driver qms 810, texas instruments microlaser printer (unlikely)

Techniques

Sample rules

PrinterNightmare Mimikatz Driver Name

Description

Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527

Detection logic

condition: selection or selection_alt or (selection_print and selection_kiwi)
selection:
  TargetObject|contains:
  - \Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\
  - \Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz
selection_alt:
  TargetObject|contains|all:
  - legitprinter
  - \Control\Print\Environments\Windows
selection_kiwi:
  TargetObject|contains:
  - Gentil Kiwi
  - mimikatz printer
  - Kiwi Legit Printer
selection_print:
  TargetObject|contains:
  - \Control\Print\Environments
  - \CurrentVersion\Print\Printers