Suspicious PrintSpooler Service Executable File Creation

  1[metadata]
  2creation_date = "2020/08/14"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2024/10/28"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
 13information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted
 14system is patched.
 15"""
 16from = "now-9m"
 17index = [
 18    "winlogbeat-*",
 19    "logs-endpoint.events.file-*",
 20    "logs-windows.sysmon_operational-*",
 21    "endgame-*",
 22    "logs-m365_defender.event-*",
 23    "logs-sentinel_one_cloud_funnel.*",
 24]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "Suspicious PrintSpooler Service Executable File Creation"
 28references = [
 29    "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
 30    "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files",
 31]
 32risk_score = 21
 33rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8"
 34severity = "low"
 35tags = [
 36    "Domain: Endpoint",
 37    "OS: Windows",
 38    "Use Case: Threat Detection",
 39    "Tactic: Privilege Escalation",
 40    "Data Source: Elastic Endgame",
 41    "Use Case: Vulnerability",
 42    "Data Source: Elastic Defend",
 43    "Data Source: Sysmon",
 44    "Data Source: Microsoft Defender for Endpoint",
 45    "Data Source: SentinelOne",
 46]
 47timestamp_override = "event.ingested"
 48type = "new_terms"
 49
 50query = '''
 51event.category : "file" and host.os.type : "windows" and event.type : "creation" and
 52  process.name : "spoolsv.exe" and file.extension : "dll"
 53'''
 54
 55[[rule.filters]]
 56[rule.filters.meta]
 57negate = false
 58[rule.filters.query.wildcard."file.path"]
 59"case_insensitive" = true
 60"value" = "?:\\\\Windows\\\\Sys?????\\\\*"
 61
 62[[rule.filters]]
 63[rule.filters.meta]
 64negate = true
 65[rule.filters.query.wildcard."file.path"]
 66"case_insensitive" = true
 67"value" = "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll"
 68
 69[[rule.filters]]
 70[rule.filters.meta]
 71negate = true
 72[rule.filters.query.wildcard."file.path"]
 73"case_insensitive" = true
 74"value" = "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"
 75
 76[[rule.filters]]
 77[rule.filters.meta]
 78negate = true
 79[rule.filters.query.wildcard."file.path"]
 80"case_insensitive" = true
 81"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll"
 82
 83[[rule.filters]]
 84[rule.filters.meta]
 85negate = true
 86[rule.filters.query.wildcard."file.path"]
 87"case_insensitive" = true
 88"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll"
 89
 90[[rule.filters]]
 91[rule.filters.meta]
 92negate = true
 93[rule.filters.query.wildcard."file.path"]
 94"case_insensitive" = true
 95"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll"
 96
 97[[rule.filters]]
 98[rule.filters.meta]
 99negate = true
100[rule.filters.query.wildcard."file.path"]
101"case_insensitive" = true
102"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll"
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106[[rule.threat.technique]]
107id = "T1068"
108name = "Exploitation for Privilege Escalation"
109reference = "https://attack.mitre.org/techniques/T1068/"
110
111
112[rule.threat.tactic]
113id = "TA0004"
114name = "Privilege Escalation"
115reference = "https://attack.mitre.org/tactics/TA0004/"
116
117[rule.new_terms]
118field = "new_terms_fields"
119value = ["host.id", "file.path"]
120[[rule.new_terms.history_window_start]]
121field = "history_window_start"
122value = "now-14d"