Suspicious Print Spooler Point and Print DLL
Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/26"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/08/07"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service.
11Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as
12SYSTEM.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Suspicious Print Spooler Point and Print DLL"
19references = [
20 "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability",
21 "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx",
22 "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030",
23]
24risk_score = 73
25rule_id = "bd7eefee-f671-494e-98df-f01daf9e5f17"
26severity = "high"
27tags = [
28 "Domain: Endpoint",
29 "OS: Windows",
30 "Use Case: Threat Detection",
31 "Tactic: Privilege Escalation",
32 "Data Source: Elastic Endgame",
33 "Use Case: Vulnerability",
34 "Data Source: Elastic Defend",
35 "Data Source: Sysmon",
36]
37type = "eql"
38
39query = '''
40sequence by host.id with maxspan=30s
41[registry where host.os.type == "windows" and
42 registry.path : (
43 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory",
44 "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory"
45 ) and
46 registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4"]
47[registry where host.os.type == "windows" and
48 registry.path : (
49 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module",
50 "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module"
51 ) and
52 registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4\\*"]
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1068"
60name = "Exploitation for Privilege Escalation"
61reference = "https://attack.mitre.org/techniques/T1068/"
62
63
64[rule.threat.tactic]
65id = "TA0004"
66name = "Privilege Escalation"
67reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- Suspicious Print Spooler File Deletion
- Potential Persistence via Time Provider Modification
- Privilege Escalation via Windir Environment Variable
- Registry Persistence via AppCert DLL
- Suspicious DLL Loaded for Persistence or Privilege Escalation