Leave us a Message:

CVE-2021-34527 (CVE-2021-1675) PrintNightmare – Detection by SIEM Guide

Share on facebook
Share on linkedin
Share on twitter
Share on whatsapp
Share on email
CVE-2021-1675

Overview

The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

(Source: https://www.kb.cert.org/vuls/id/383432)

Guide to detect by SIEM:

GPO:

Verify the Event logs are enabled:

  • Microsoft-Windows-SMBClient/Security
  • Microsoft-Windows-PrintService/Admin
  • Microsoft-Windows-PrintService/Operational

WEF:

Configure the WEF subscription to collect the logs from the above Event Viewers

* We recommend collecting the logs from all DC’s, Servers, and Workstations.

Parsing:

Parse the logs for getting additional data

SIEM Rules:

  • Create rules based on Windows Events IDs:
    • 316,808
    • 809,810,812 with path: C:\Windows\system32\spool\drivers\x64\3\Old*
    • 31017
  • Create rules based on Anti-Virus signatures
 

Our Subscription SIEM clients and MSSP clients are fully monitored.

For them, SIEM is Plug and Play.

The art of SIEM is 
CyberSIEM

Share this post

Share on facebook
Share on linkedin
Share on twitter
Share on whatsapp
Share on email
Eli Benitah

Eli Benitah

Leave a Reply

About Us

We increase the security of organizational information and anticipate threats before they cause damage, and improve the level of protection of organizational information, by providing end-to-end SIEM solution.

Recent Posts

Skip to content