infosecn1nja · July 6, 2021 05:39
diff --git a/printernightmare_cve_2021_34527.xml b/printernightmare_cve_2021_34527.xml
 <!--
  -  PrinterNightmare CVE-2021-34527 Exploit Detection
  -  Created by Rahmat Nurfauzi (@infosecn1nja).
  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
 -->
 <group name="sysmon,">
 <rule id="99948" level="15">
 	<if_group>sysmon_event_11</if_group>
 	<field name="win.eventdata.Image">\\\\spoolsv.exe$</field>
 	<field name="win.eventdata.TargetFilename">\\\\New\\\\unidrv.dll$</field>
 	<description>PrinterNightmare CVE-2021-34527 Exploit Detection</description>
 	<info type="text">Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675</info>
 	<info type="text">Falsepositives: Unknown. </info>
  <mitre>
    <id>T1055</id>
  </mitre>  
 </rule>
 </group>
	<!--
	- PrinterNightmare CVE-2021-34527 Exploit Detection
	- Created by Rahmat Nurfauzi (@infosecn1nja).
	- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
	-->
	<group name="sysmon,">
	<rule id="99948" level="15">
	<if_group>sysmon_event_11</if_group>
	<field name="win.eventdata.Image">\\\\spoolsv.exe$</field>
	<field name="win.eventdata.TargetFilename">\\\\New\\\\unidrv.dll$</field>
	<description>PrinterNightmare CVE-2021-34527 Exploit Detection</description>
	<info type="text">Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675</info>
	<info type="text">Falsepositives: Unknown. </info>
	<mitre>
	<id>T1055</id>
	</mitre>
	</rule>
	</group>