""ET POLICY [MS-RPRN] Windows Printer Spooler Activity - AddPrinterDriverEx with Suspicious Filepath""
SID: 2033246
Revision: 3
Class Type: misc-activity
Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_07_06, cve 2021_34527, updated_at 2021_07_08
Reference:
Protocol: tcp
Source Network: any
Source Port: any
Destination Network: $HOME_NET
Destination Port: [139,445]
Flow: established,to_server
Contents:
-
Value: "|00|" Depth: 1
-
Value: "SMB"
-
Value: "|00 00|"
-
Value: "|10 00 00 00|"
-
Value: "|59 00|"
-
Value: "|5c|spool|5c|drivers|5c|x64|5c|3|5c|old|5c|"
Within: 2
PCRE:
Special Options: