Potential privilege escalation via CVE-2022-38028

calendar Apr 29, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Privilege Escalation Tactic: Defense Evasion Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/04/23"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/04/23"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential privilege escalation via CVE-2022-38028"
19references = [
20  "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/"
21]
22risk_score = 73
23rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c"
24severity = "high"
25tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
26timestamp_override = "event.ingested"
27type = "eql"
28
29query = '''
30file where host.os.type == "windows" and
31           file.path : ("?:\\*\\Windows\\system32\\DriVerStoRe\\FiLeRePoSiToRy\\*\\MPDW-constraints.js",
32                        "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js")
33'''
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37[[rule.threat.technique]]
38id = "T1068"
39name = "Exploitation for Privilege Escalation"
40reference = "https://attack.mitre.org/techniques/T1068/"
41
42
43[rule.threat.tactic]
44id = "TA0004"
45name = "Privilege Escalation"
46reference = "https://attack.mitre.org/tactics/TA0004/"
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1036"
52name = "Masquerading"
53reference = "https://attack.mitre.org/techniques/T1036/"
54
55[rule.threat.tactic]
56id = "TA0005"
57name = "Defense Evasion"
58reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top