Potential privilege escalation via CVE-2022-38028
Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/04/23"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n"
10from = "now-9m"
11index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
12language = "eql"
13license = "Elastic License v2"
14name = "Potential privilege escalation via CVE-2022-38028"
15references = [
16 "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/",
17]
18risk_score = 73
19rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c"
20severity = "high"
21tags = [
22 "Domain: Endpoint",
23 "OS: Windows",
24 "Use Case: Threat Detection",
25 "Tactic: Privilege Escalation",
26 "Tactic: Defense Evasion",
27 "Data Source: Elastic Endgame",
28 "Data Source: Elastic Defend",
29 "Data Source: Sysmon",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35file where host.os.type == "windows" and
36 file.path : ("?:\\*\\Windows\\system32\\DriVerStoRe\\FiLeRePoSiToRy\\*\\MPDW-constraints.js",
37 "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js")
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1068"
45name = "Exploitation for Privilege Escalation"
46reference = "https://attack.mitre.org/techniques/T1068/"
47
48
49[rule.threat.tactic]
50id = "TA0004"
51name = "Privilege Escalation"
52reference = "https://attack.mitre.org/tactics/TA0004/"
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1036"
57name = "Masquerading"
58reference = "https://attack.mitre.org/techniques/T1036/"
59
60
61[rule.threat.tactic]
62id = "TA0005"
63name = "Defense Evasion"
64reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Conhost Spawned By Suspicious Parent Process
- UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
- UAC Bypass Attempt via Privileged IFileOperation COM Interface
- UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
- UAC Bypass via ICMLuaUtil Elevated COM Interface