Techniques
Sample rules
PrinterNightmare Mimikatz Driver Name
- source: sigma
- technicques:
- t1204
Description
Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
Detection logic
condition: selection or selection_alt or (selection_print and selection_kiwi)
selection:
TargetObject|contains:
- \Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\
- \Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz
selection_alt:
TargetObject|contains|all:
- legitprinter
- \Control\Print\Environments\Windows
selection_kiwi:
TargetObject|contains:
- Gentil Kiwi
- mimikatz printer
- Kiwi Legit Printer
selection_print:
TargetObject|contains:
- \Control\Print\Environments
- \CurrentVersion\Print\Printers