Skip to content

initconf/cve-2021-1675-printnightmare

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
scripts
scripts
 
 
tests
tests
 
 
COPYING
COPYING
 
 
README.rst
README.rst
 
 
zkg.meta
zkg.meta
 
 

Repository files navigation

Simple policy to detect CVE-2021-1675

Following functionality are provided by the script

::

This zeek package Utilizes pcap and work of : https://github.com/LaresLLC/CVE-2021-1675.git

builds upon the fact that

Installation

zeek-pkg install zeek/initconf/ or @load

Detailed Notes:

Detail Alerts and descriptions: Following alerts are generated by the script:

Heuristics are simple: check for
  1. \pipe\spoolss in named_pipe
  2. spoolss in endpoint
  3. RpcEnumPrinterDrivers OR RpcAddPrinterDriverEx in operation

This should generate following Kinds of notices: Example notice: ***********************

1625227917.821008 - 192.168.1.149 50070 192.168.1.157 445 - - - tcp CVE_2021_1675::Match CVE-2021-1675 Matches on \pipe\spoolss spoolss RpcEnumPrinterDrivers - 192.168.1.149 192.168.1.157 445 - - Notice::ACTION_EMAIL,Notice::ACTION_LOG60.000000 - - - - - 1625227917.952406 - 192.168.1.149 50070 192.168.1.157 445 - - - tcp CVE_2021_1675::Match CVE-2021-1675 Matches on \pipe\spoolss spoolss RpcAddPrinterDriverEx - 192.168.1.149 192.168.1.157 445 - - Notice::ACTION_EMAIL,Notice::ACTION_LOG60.000000 - - -

About

to catch cve-2021-1675-printnightmare

Resources

Readme

License

View license
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages