#1 Based on Sigma rule on detecting the POC code
filemod_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3\\old\\1\\123
#2 Based on Sigma rule on detecting the POC code
(modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3* OR modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3\\old*) AND parent_cmdline:spoolsv\.exe
#3 Based on Sigma rule on detecting the POC code
(modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3* OR modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3\\old*) AND process_name:spoolsv\.exe
#4 Detecting file events (unsigned), adjust this to your baseline. I did not specify driver path on purpose here since the exploitation and post-exploitation is still a bit unclear. Make sure to adjust this to your baseline (known hash, etc).
process_name:spoolsv\.exe AND NOT filemod_publisher_state:FILE_SIGNATURE_STATE_SIGNED
#5 Detecting file events (signed by non MS), adjust this to your baseline
process_name:spoolsv\.exe AND filemod_publisher_state:FILE_SIGNATURE_STATE_SIGNED AND NOT filemod_publisher:"Microsoft Windows*"
#6 Based on https://github.com/LaresLLC/CVE-2021-1675
parent_name:spoolsv\.exe AND childproc_name:werfault\.exe