Potential privilege escalation via CVE-2022-38028
Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/04/23"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n"
12from = "now-9m"
13index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
14language = "eql"
15license = "Elastic License v2"
16name = "Potential privilege escalation via CVE-2022-38028"
17references = [
18 "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/",
19]
20risk_score = 73
21rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c"
22severity = "high"
23tags = [
24 "Domain: Endpoint",
25 "OS: Windows",
26 "Use Case: Threat Detection",
27 "Tactic: Privilege Escalation",
28 "Tactic: Defense Evasion",
29 "Data Source: Elastic Endgame",
30 "Data Source: Elastic Defend",
31 "Data Source: Sysmon",
32 "Data Source: Microsoft Defender for Endpoint",
33 "Data Source: SentinelOne",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39file where host.os.type == "windows" and event.type != "deletion" and
40 file.name : "MPDW-constraints.js" and
41 file.path : (
42 "?:\\*\\Windows\\system32\\DriVerStoRe\\FiLeRePoSiToRy\\*\\MPDW-constraints.js",
43 "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js"
44 )
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1068"
52name = "Exploitation for Privilege Escalation"
53reference = "https://attack.mitre.org/techniques/T1068/"
54
55
56[rule.threat.tactic]
57id = "TA0004"
58name = "Privilege Escalation"
59reference = "https://attack.mitre.org/tactics/TA0004/"
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1036"
64name = "Masquerading"
65reference = "https://attack.mitre.org/techniques/T1036/"
66
67
68[rule.threat.tactic]
69id = "TA0005"
70name = "Defense Evasion"
71reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Bypass UAC via Event Viewer
- Conhost Spawned By Suspicious Parent Process
- Suspicious WerFault Child Process
- UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
- UAC Bypass Attempt via Privileged IFileOperation COM Interface