2021-34527 (CVE-2021-1675) PrintNightmare – Detection by SIEM Guide

Overview

The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
(Source: https://www.kb.cert.org/vuls/id/383432)

image

Guide to detect by SIEM:

GPO:

Verify the Event logs are enabled:

  • Microsoft-Windows-SMBClient/Security
  • Microsoft-Windows-PrintService/Admin
  • Microsoft-Windows-PrintService/Operational

WEF:

Configure the WEF subscription to collect the logs from the above Event Viewers

* We recommend collecting the logs from all DC’s, Servers, and Workstations.

Parsing:

Parse the logs for getting additional data

SIEM Rules:

  • Create rules based on Windows Events IDs:
    • 316,808
    • 809,810,812 with path: C:\Windows\system32\spool\drivers\x64\3\Old*
    • 31017
  • Create rules based on Anti-Virus signatures

Our Subscription SIEM clients and MSSP clients are fully monitored.

For them, SIEM is Plug and Play.

The art of SIEM is Cyray

 

 admin
Author
author
Share This Story, Choose Your Platform