infosecn1nja/printernightmare_cve_2021_34527.xml

## printernightmare_cve_2021_34527.xml
<!--
  -  PrinterNightmare CVE-2021-34527 Exploit Detection
  -  Created by Rahmat Nurfauzi (@infosecn1nja).
  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<group name="sysmon,">
<rule id="99948" level="15">
	<if_group>sysmon_event_11</if_group>
	<field name="win.eventdata.Image">\\\\spoolsv.exe$</field>
	<field name="win.eventdata.TargetFilename">\\\\New\\\\unidrv.dll$</field>
	<description>PrinterNightmare CVE-2021-34527 Exploit Detection</description>
	<info type="text">Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675</info>
	<info type="text">Falsepositives: Unknown. </info>
  <mitre>
    <id>T1055</id>
  </mitre>
</rule>
</group>
	<!--
	- PrinterNightmare CVE-2021-34527 Exploit Detection
	- Created by Rahmat Nurfauzi (@infosecn1nja).
	- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
	-->
	<group name="sysmon,">
	<rule id="99948" level="15">
	<if_group>sysmon_event_11</if_group>
	<field name="win.eventdata.Image">\\\\spoolsv.exe$</field>
	<field name="win.eventdata.TargetFilename">\\\\New\\\\unidrv.dll$</field>
	<description>PrinterNightmare CVE-2021-34527 Exploit Detection</description>
	<info type="text">Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675</info>
	<info type="text">Falsepositives: Unknown. </info>
	<mitre>
	<id>T1055</id>
	</mitre>
	</rule>
	</group>