Suspicious PrintSpooler Service Executable File Creation

  1[metadata]
  2creation_date = "2020/08/14"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2024/10/10"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
 11information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted
 12system is patched.
 13"""
 14from = "now-9m"
 15index = [
 16    "winlogbeat-*",
 17    "logs-endpoint.events.file-*",
 18    "logs-windows.sysmon_operational-*",
 19    "endgame-*",
 20    "logs-m365_defender.event-*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "Suspicious PrintSpooler Service Executable File Creation"
 26references = [
 27    "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
 28    "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files",
 29]
 30risk_score = 21
 31rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8"
 32severity = "low"
 33tags = [
 34    "Domain: Endpoint",
 35    "OS: Windows",
 36    "Use Case: Threat Detection",
 37    "Tactic: Privilege Escalation",
 38    "Data Source: Elastic Endgame",
 39    "Use Case: Vulnerability",
 40    "Data Source: Elastic Defend",
 41    "Data Source: Sysmon",
 42    "Data Source: Microsoft Defender for Endpoint",
 43    "Data Source: SentinelOne",
 44]
 45timestamp_override = "event.ingested"
 46type = "new_terms"
 47
 48query = '''
 49event.category : "file" and host.os.type : "windows" and event.type : "creation" and
 50  process.name : "spoolsv.exe" and file.extension : "dll"
 51'''
 52
 53[[rule.filters]]
 54[rule.filters.meta]
 55negate = false
 56[rule.filters.query.wildcard."file.path"]
 57"case_insensitive" = true
 58"value" = "?:\\\\Windows\\\\Sys?????\\\\*"
 59
 60[[rule.filters]]
 61[rule.filters.meta]
 62negate = true
 63[rule.filters.query.wildcard."file.path"]
 64"case_insensitive" = true
 65"value" = "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll"
 66
 67[[rule.filters]]
 68[rule.filters.meta]
 69negate = true
 70[rule.filters.query.wildcard."file.path"]
 71"case_insensitive" = true
 72"value" = "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"
 73
 74[[rule.filters]]
 75[rule.filters.meta]
 76negate = true
 77[rule.filters.query.wildcard."file.path"]
 78"case_insensitive" = true
 79"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll"
 80
 81[[rule.filters]]
 82[rule.filters.meta]
 83negate = true
 84[rule.filters.query.wildcard."file.path"]
 85"case_insensitive" = true
 86"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll"
 87
 88[[rule.filters]]
 89[rule.filters.meta]
 90negate = true
 91[rule.filters.query.wildcard."file.path"]
 92"case_insensitive" = true
 93"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll"
 94
 95[[rule.filters]]
 96[rule.filters.meta]
 97negate = true
 98[rule.filters.query.wildcard."file.path"]
 99"case_insensitive" = true
100"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll"
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1068"
106name = "Exploitation for Privilege Escalation"
107reference = "https://attack.mitre.org/techniques/T1068/"
108
109
110[rule.threat.tactic]
111id = "TA0004"
112name = "Privilege Escalation"
113reference = "https://attack.mitre.org/tactics/TA0004/"
114
115[rule.new_terms]
116field = "new_terms_fields"
117value = ["host.id", "file.path"]
118[[rule.new_terms.history_window_start]]
119field = "history_window_start"
120value = "now-14d"