Potential PrintNightmare File Modification

 1[metadata]
 2creation_date = "2021/07/06"
 3deprecation_date = "2022/03/16"
 4maturity = "deprecated"
 5updated_date = "2022/03/16"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit
11privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527
12and verify that the impacted system is investigated.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential PrintNightmare File Modification"
19references = [
20    "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
21    "https://github.com/afwu/PrintNightmare",
22]
23risk_score = 73
24rule_id = "5e87f165-45c2-4b80-bfa5-52822552c997"
25severity = "high"
26tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31/* This rule is compatible with both Sysmon and Elastic Endpoint */
32
33file where process.name : "spoolsv.exe" and 
34 file.name : ("kernelbase.dll", "ntdll.dll", "kernel32.dll", "winhttp.dll", "user32.dll") and
35 file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*"
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1068"
43reference = "https://attack.mitre.org/techniques/T1068/"
44name = "Exploitation for Privilege Escalation"
45
46
47[rule.threat.tactic]
48id = "TA0004"
49reference = "https://attack.mitre.org/tactics/TA0004/"
50name = "Privilege Escalation"