← Back to Explore
sigmahighHunting
Suspicious Printer Driver Empty Manufacturer
Detects a suspicious printer driver installation with an empty Manufacturer value
Detection Query
selection:
TargetObject|contains|all:
- \Control\Print\Environments\Windows x64\Drivers
- \Manufacturer
Details: (Empty)
filter_cutepdf:
TargetObject|contains: \CutePDF Writer v4.0\
filter_vnc:
TargetObject|contains:
- \VNC Printer (PS)\
- \VNC Printer (UD)\
filter_pdf24:
TargetObject|contains: \Version-3\PDF24\
condition: selection and not 1 of filter_*
Author
Florian Roth (Nextron Systems)
Created
2020-07-01
Data Sources
windowsRegistry Set Events
Platforms
windows
Tags
attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574cve.2021-1675
Raw Content
title: Suspicious Printer Driver Empty Manufacturer
id: e0813366-0407-449a-9869-a2db1119dc41
status: test
description: Detects a suspicious printer driver installation with an empty Manufacturer value
references:
- https://twitter.com/SBousseaden/status/1410545674773467140
author: Florian Roth (Nextron Systems)
date: 2020-07-01
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1574
- cve.2021-1675
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\Control\Print\Environments\Windows x64\Drivers'
- '\Manufacturer'
Details: '(Empty)'
filter_cutepdf:
TargetObject|contains: '\CutePDF Writer v4.0\'
filter_vnc:
TargetObject|contains:
- '\VNC Printer (PS)\'
- '\VNC Printer (UD)\'
filter_pdf24:
TargetObject|contains: '\Version-3\PDF24\'
condition: selection and not 1 of filter_*
falsepositives:
- Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value
level: high