Potential privilege escalation via CVE-2022-38028

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Privilege Escalation Tactic: Defense Evasion Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/04/23"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n"
10from = "now-9m"
11index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
12language = "eql"
13license = "Elastic License v2"
14name = "Potential privilege escalation via CVE-2022-38028"
15references = [
16    "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/",
17]
18risk_score = 73
19rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c"
20severity = "high"
21tags = [
22    "Domain: Endpoint",
23    "OS: Windows",
24    "Use Case: Threat Detection",
25    "Tactic: Privilege Escalation",
26    "Tactic: Defense Evasion",
27    "Data Source: Elastic Endgame",
28    "Data Source: Elastic Defend",
29    "Data Source: Sysmon",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35file where host.os.type == "windows" and
36           file.path : ("?:\\*\\Windows\\system32\\DriVerStoRe\\FiLeRePoSiToRy\\*\\MPDW-constraints.js",
37                        "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js")
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1068"
45name = "Exploitation for Privilege Escalation"
46reference = "https://attack.mitre.org/techniques/T1068/"
47
48
49[rule.threat.tactic]
50id = "TA0004"
51name = "Privilege Escalation"
52reference = "https://attack.mitre.org/tactics/TA0004/"
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1036"
57name = "Masquerading"
58reference = "https://attack.mitre.org/techniques/T1036/"
59
60
61[rule.threat.tactic]
62id = "TA0005"
63name = "Defense Evasion"
64reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top