Techniques
Sample rules
Possible PrintNightmare Print Driver Install
- source: sigma
- technicques:
Description
Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
Detection logic
condition: selection
selection:
operation:
- RpcAsyncInstallPrinterDriverFromPackage
- RpcAsyncAddPrintProcessor
- RpcAddPrintProcessor
- RpcAddPrinterDriverEx
- RpcAddPrinterDriver
- RpcAsyncAddPrinterDriver