Potential PrintNightmare Exploit Registry Modification

 1[metadata]
 2creation_date = "2021/07/06"
 3deprecation_date = "2022/03/16"
 4maturity = "deprecated"
 5updated_date = "2022/03/16"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
11information refer to CVE-2021-34527 and verify that the impacted system is investigated.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Potential PrintNightmare Exploit Registry Modification"
18references = [
19    "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
20    "https://github.com/afwu/PrintNightmare",
21]
22risk_score = 73
23rule_id = "6506c9fd-229e-4722-8f0f-69be759afd2a"
24severity = "high"
25tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
26timestamp_override = "event.ingested"
27type = "eql"
28
29query = '''
30/* This rule is not compatible with Sysmon due to schema issues */
31
32registry where process.name : "spoolsv.exe" and
33  (registry.path : "HKLM\\SYSTEM\\ControlSet*\\Control\\Print\\Environments\\Windows*\\Drivers\\Version-3\\mimikatz*\\Data File" or
34  (registry.path : "HKLM\\SYSTEM\\ControlSet*\\Control\\Print\\Environments\\Windows*\\Drivers\\Version-3\\*\\Configuration File" and
35   registry.data.strings : ("kernelbase.dll", "ntdll.dll", "kernel32.dll", "winhttp.dll", "user32.dll")))
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42name = "Exploitation for Privilege Escalation"
43id = "T1068"
44reference = "https://attack.mitre.org/techniques/T1068/"
45
46
47[rule.threat.tactic]
48name = "Privilege Escalation"
49id = "TA0004"
50reference = "https://attack.mitre.org/tactics/TA0004/"