2021-34527 (CVE-2021-1675) PrintNightmare – Detection by SIEM Guide

Overview

The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
(Source: https://www.kb.cert.org/vuls/id/383432)

image

Guide to detect by SIEM:

GPO:

Verify the Event logs are enabled:

  • Microsoft-Windows-SMBClient/Security
  • Microsoft-Windows-PrintService/Admin
  • Microsoft-Windows-PrintService/Operational

WEF:

Configure the WEF subscription to collect the logs from the above Event Viewers

* We recommend collecting the logs from all DC’s, Servers, and Workstations.

Parsing:

Parse the logs for getting additional data

SIEM Rules:

  • Create rules based on Windows Events IDs:
    • 316,808
    • 809,810,812 with path: C:\Windows\system32\spool\drivers\x64\3\Old*
    • 31017
  • Create rules based on Anti-Virus signatures

Our Subscription SIEM clients and MSSP clients are fully monitored.

For them, SIEM is Plug and Play.

The art of SIEM is Cyray

 

idoh
Author
idoh
Share This Story, Choose Your Platform
You Might Also Like
Advanced Linux threats Monitoring
SIEM system
Advanced Linux threats Monitoring
We should pay attention to each and every nested group that is a member of our sensitive groups, to ensure that we will know about every user that inherits these kinds of permissions.
0
239
0
“It’s good to be the king” – is that so?
Best practices
“It’s good to be the king” – is that so?
How to use a grid field In this post, our SOAR expert, Mr.Ben Aviv, will demonstrate how to use a grid field in XSOAR (Demisto).
3
243
0
How to use a Grid Field​
SOAR
How to use a Grid Field​
How to use a grid field In this post, our SOAR expert, Mr.Ben Aviv, will demonstrate how to use a grid field in XSOAR (Demisto).
3
439
0

Time to market

One-day SIEM integration

Learn more