This repo contains an EVTX sample of the CVE-2021-1675 attack as well as a minimal Sysmon configuration file that can be used to generate the relevant telemetry.
Please note that these rules may be circumvented - please patch as appropriate and disable the printer spooler service on domain controllers.
https://twitter.com/ionstorm/status/1410258694386880518
https://twitter.com/dez_/status/1410298162548559875
https://twitter.com/markus_neis/status/1410255678996942854
https://twitter.com/cyb3rops/status/1410250996362715137
https://twitter.com/gentilkiwi/status/1410066827590447108
https://twitter.com/wdormann/status/1410198834970599425
The provided Sysmon configuration (CVE-2021-1675.xml) file can be installed with Sysmon Config Pusher: https://github.com/LaresLLC/SysmonConfigPusher
index=sysmon Image="C:\\Windows\\System32\\spoolsv.exe"
| stats values(ImageLoaded),values(TargetObject),values(Details),values(TargetFilename)