Potential privilege escalation via CVE-2022-38028

Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/04/23"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n"
 12from = "now-9m"
 13index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 14language = "eql"
 15license = "Elastic License v2"
 16name = "Potential privilege escalation via CVE-2022-38028"
 17references = [
 18    "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/",
 19]
 20risk_score = 73
 21rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c"
 22severity = "high"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Privilege Escalation",
 28    "Tactic: Defense Evasion",
 29    "Data Source: Elastic Endgame",
 30    "Data Source: Elastic Defend",
 31    "Data Source: Sysmon",
 32    "Data Source: Microsoft Defender for Endpoint",
 33    "Data Source: SentinelOne",
 34    "Resources: Investigation Guide",
 35]
 36timestamp_override = "event.ingested"
 37type = "eql"
 38
 39query = '''
 40file where host.os.type == "windows" and event.type != "deletion" and
 41    file.name : "MPDW-constraints.js" and
 42    file.path : (
 43        "?:\\*\\Windows\\system32\\DriVerStoRe\\FiLeRePoSiToRy\\*\\MPDW-constraints.js",
 44        "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js"
 45    )
 46'''
 47note = """## Triage and analysis
 48
 49> **Disclaimer**:
 50> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 51
 52### Investigating Potential privilege escalation via CVE-2022-38028
 53
 54CVE-2022-38028 targets the Windows Print Spooler service, a core component managing print jobs. Adversaries exploit this by manipulating specific JavaScript files within system directories to gain elevated privileges. The detection rule identifies unauthorized file presence in critical paths, signaling potential exploitation attempts, leveraging multiple data sources for comprehensive threat detection.
 55
 56### Possible investigation steps
 57
 58- Review the alert details to confirm the presence of the file "MPDW-constraints.js" in the specified critical paths: "?:\\\\*\\\\Windows\\\\system32\\\\DriVerStoRe\\\\FiLeRePoSiToRy\\\\*\\\\MPDW-constraints.js" or "?:\\\\*\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\MPDW-constraints.js".
 59- Check the file creation and modification timestamps to determine when the file was placed or altered in the system directories.
 60- Investigate the source of the file by examining recent user activity and process execution logs around the time the file appeared, focusing on any suspicious or unauthorized actions.
 61- Correlate the event with other data sources such as Sysmon, Microsoft Defender for Endpoint, or SentinelOne to identify any related suspicious activities or processes that might indicate exploitation attempts.
 62- Assess the risk and impact by determining if the affected system has any sensitive roles or access that could be leveraged by an attacker through privilege escalation.
 63- If malicious activity is confirmed, initiate containment measures such as isolating the affected system and conducting a full malware scan to prevent further exploitation.
 64
 65### False positive analysis
 66
 67- Legitimate software updates or installations may place JavaScript files in the monitored directories. Verify the source and integrity of the software to ensure it is from a trusted vendor.
 68- System administrators or automated scripts might deploy or modify JavaScript files in these paths for legitimate configuration purposes. Review change management logs to confirm authorized activities.
 69- Security tools or system maintenance processes could temporarily create or modify files in these directories. Cross-reference with scheduled tasks or security tool logs to validate these actions.
 70- Exclude known benign applications or processes that frequently interact with the specified file paths by creating exceptions in the detection rule to reduce noise.
 71- Regularly update the detection rule to incorporate new intelligence on false positives, ensuring it remains effective and relevant.
 72
 73### Response and remediation
 74
 75- Isolate the affected system from the network immediately to prevent further exploitation or lateral movement by the adversary.
 76- Terminate any suspicious processes related to the Windows Print Spooler service to halt ongoing exploitation attempts.
 77- Remove unauthorized JavaScript files, specifically "MPDW-constraints.js", from the identified critical paths to eliminate the immediate threat.
 78- Apply the latest security patches and updates from Microsoft to address CVE-2022-38028 and ensure the system is protected against known vulnerabilities.
 79- Conduct a thorough review of user accounts and privileges on the affected system to identify and revoke any unauthorized privilege escalations.
 80- Monitor the network and system logs for any signs of further exploitation attempts or related suspicious activities, using enhanced detection rules.
 81- Report the incident to the appropriate internal security team or external authorities if required, providing detailed information about the exploitation attempt and actions taken."""
 82
 83
 84[[rule.threat]]
 85framework = "MITRE ATT&CK"
 86[[rule.threat.technique]]
 87id = "T1068"
 88name = "Exploitation for Privilege Escalation"
 89reference = "https://attack.mitre.org/techniques/T1068/"
 90
 91
 92[rule.threat.tactic]
 93id = "TA0004"
 94name = "Privilege Escalation"
 95reference = "https://attack.mitre.org/tactics/TA0004/"
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98[[rule.threat.technique]]
 99id = "T1036"
100name = "Masquerading"
101reference = "https://attack.mitre.org/techniques/T1036/"
102
103
104[rule.threat.tactic]
105id = "TA0005"
106name = "Defense Evasion"
107reference = "https://attack.mitre.org/tactics/TA0005/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

CVE-2022-38028 targets the Windows Print Spooler service, a core component managing print jobs. Adversaries exploit this by manipulating specific JavaScript files within system directories to gain elevated privileges. The detection rule identifies unauthorized file presence in critical paths, signaling potential exploitation attempts, leveraging multiple data sources for comprehensive threat detection.

  • Review the alert details to confirm the presence of the file "MPDW-constraints.js" in the specified critical paths: "?:\\Windows\system32\DriVerStoRe\FiLeRePoSiToRy\\MPDW-constraints.js" or "?:\\Windows\WinSxS\amd64_microsoft-windows-printing-printtopdf_\MPDW-constraints.js".
  • Check the file creation and modification timestamps to determine when the file was placed or altered in the system directories.
  • Investigate the source of the file by examining recent user activity and process execution logs around the time the file appeared, focusing on any suspicious or unauthorized actions.
  • Correlate the event with other data sources such as Sysmon, Microsoft Defender for Endpoint, or SentinelOne to identify any related suspicious activities or processes that might indicate exploitation attempts.
  • Assess the risk and impact by determining if the affected system has any sensitive roles or access that could be leveraged by an attacker through privilege escalation.
  • If malicious activity is confirmed, initiate containment measures such as isolating the affected system and conducting a full malware scan to prevent further exploitation.
  • Legitimate software updates or installations may place JavaScript files in the monitored directories. Verify the source and integrity of the software to ensure it is from a trusted vendor.
  • System administrators or automated scripts might deploy or modify JavaScript files in these paths for legitimate configuration purposes. Review change management logs to confirm authorized activities.
  • Security tools or system maintenance processes could temporarily create or modify files in these directories. Cross-reference with scheduled tasks or security tool logs to validate these actions.
  • Exclude known benign applications or processes that frequently interact with the specified file paths by creating exceptions in the detection rule to reduce noise.
  • Regularly update the detection rule to incorporate new intelligence on false positives, ensuring it remains effective and relevant.
  • Isolate the affected system from the network immediately to prevent further exploitation or lateral movement by the adversary.
  • Terminate any suspicious processes related to the Windows Print Spooler service to halt ongoing exploitation attempts.
  • Remove unauthorized JavaScript files, specifically "MPDW-constraints.js", from the identified critical paths to eliminate the immediate threat.
  • Apply the latest security patches and updates from Microsoft to address CVE-2022-38028 and ensure the system is protected against known vulnerabilities.
  • Conduct a thorough review of user accounts and privileges on the affected system to identify and revoke any unauthorized privilege escalations.
  • Monitor the network and system logs for any signs of further exploitation attempts or related suspicious activities, using enhanced detection rules.
  • Report the incident to the appropriate internal security team or external authorities if required, providing detailed information about the exploitation attempt and actions taken.

References

Related rules

to-top