Simple policy to detect CVE-2021-1675

Following functionality are provided by the script

::

This zeek package Utilizes pcap and work of : https://github.com/LaresLLC/CVE-2021-1675.git

builds upon the fact that

Installation

zeek-pkg install zeek/initconf/ or @load

Detailed Notes:

Detail Alerts and descriptions: Following alerts are generated by the script:

Heuristics are simple: check for

\pipe\spoolss in named_pipe
spoolss in endpoint
RpcEnumPrinterDrivers OR RpcAddPrinterDriverEx in operation

This should generate following Kinds of notices: Example notice: ***********************

1625227917.821008 - 192.168.1.149 50070 192.168.1.157 445 - - - tcp CVE_2021_1675::Match CVE-2021-1675 Matches on \pipe\spoolss spoolss RpcEnumPrinterDrivers - 192.168.1.149 192.168.1.157 445 - - Notice::ACTION_EMAIL,Notice::ACTION_LOG60.000000 - - - - - 1625227917.952406 - 192.168.1.149 50070 192.168.1.157 445 - - - tcp CVE_2021_1675::Match CVE-2021-1675 Matches on \pipe\spoolss spoolss RpcAddPrinterDriverEx - 192.168.1.149 192.168.1.157 445 - - Notice::ACTION_EMAIL,Notice::ACTION_LOG60.000000 - - -

initconf/cve-2021-1675-printnightmare

Simple policy to detect CVE-2021-1675

Following functionality are provided by the script

Installation

Detailed Notes:

Detail Alerts and descriptions: Following alerts are generated by the script: