heroui logo

Possible PrintNightmare Print Driver Install

Sigma Rules

View Source
Summary
The 'Possible PrintNightmare Print Driver Install' detection rule is designed to identify anomalies associated with the remote installation of print drivers on systems. This behavior could indicate possible exploitation of the PrintNightmare vulnerability (CVE-2021-1675), where attackers utilize RPC functions to install print drivers remotely, a situation that is generally uncommon since print drivers are typically installed either locally or via group policies. The rule leverages specific RPC operation calls associated with driver installation processes such as 'RpcAsyncInstallPrinterDriverFromPackage' and others in a selection condition to reliably trigger alerts when such operations are detected. The presence of this rule is critical for organizations to prevent potential attacks leveraging this vulnerability, particularly in environments where print services are heavily utilized.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Logon Session
  • Network Traffic
Created: 2021-08-23