CVE-2021-1675.xml

<!--SCPTAG: Silent Config-->
<Sysmon schemaversion="4.70">
  <HashAlgorithms>*</HashAlgorithms>
  <CheckRevocation/>
  <EventFiltering>
    <RuleGroup name="" groupRelation="or">
      <CreateRemoteThread onmatch="include">
	  </CreateRemoteThread>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <ImageLoad onmatch="include">
		<Rule name="Suspicious spoolsv.exe ImageLoad" groupRelation="and">
			<Image condition="image">spoolsv.exe</Image>
			<ImageLoaded condition="contains">spool\drivers\x64\</ImageLoaded>
		</Rule>
	  </ImageLoad>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
	  <ProcessCreate onmatch="include">
	  </ProcessCreate>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <FileCreateTime onmatch="include">
	  </FileCreateTime>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <NetworkConnect onmatch="include">
	  </NetworkConnect>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <ProcessTerminate onmatch="include">
	  </ProcessTerminate>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <DriverLoad onmatch="include">
	  </DriverLoad>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <RawAccessRead onmatch="include">
	  </RawAccessRead>
    </RuleGroup> 
    <RuleGroup name="" groupRelation="or">
      <ProcessAccess onmatch="include">
      </ProcessAccess>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <FileCreate onmatch="include">
		<Rule name="Suspicious spoolsv.exe FileDrop" groupRelation="and">
			<Image condition="image">spoolsv.exe</Image>
			<TargetFilename condition="contains">\New</TargetFilename>
		</Rule>
	  </FileCreate>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <RegistryEvent onmatch="include">
		<Rule name="Suspicious spoolsv.exe RegistryEvent" groupRelation="and">
			<TargetObject condition="contains any">Data File;Configuration File</TargetObject>
			<Image condition="image">spoolsv.exe</Image>
		</Rule>
	  </RegistryEvent>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <FileCreateStreamHash onmatch="include">
	  </FileCreateStreamHash>
    </RuleGroup>
  <RuleGroup name="" groupRelation="or">
    <PipeEvent onmatch="include">
	</PipeEvent>
  </RuleGroup>
  <RuleGroup name="" groupRelation="or">
    <WmiEvent onmatch="include">
	</WmiEvent>
  </RuleGroup>
  <RuleGroup name="" groupRelation="or">
    <DnsQuery onmatch="include">
	</DnsQuery>
  </RuleGroup>
  <RuleGroup name="" groupRelation="or">
    <FileDelete onmatch="include">
	</FileDelete>
  </RuleGroup>
  </EventFiltering>
</Sysmon>