Suspicious PrintSpooler Service Executable File Creation
Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/14"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
11information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted
12system is patched.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Suspicious PrintSpooler Service Executable File Creation"
19references = [
20 "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
21 "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files",
22]
23risk_score = 73
24rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8"
25setup = """## Setup
26
27If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
28events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
29Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
30`event.ingested` to @timestamp.
31For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
32"""
33severity = "high"
34tags = [
35 "Domain: Endpoint",
36 "OS: Windows",
37 "Use Case: Threat Detection",
38 "Tactic: Privilege Escalation",
39 "Data Source: Elastic Endgame",
40 "Use Case: Vulnerability",
41 "Data Source: Elastic Defend",
42 "Data Source: Sysmon",
43]
44timestamp_override = "event.ingested"
45type = "eql"
46
47query = '''
48file where host.os.type == "windows" and event.type == "creation" and
49 process.name : "spoolsv.exe" and file.extension : "dll" and
50 file.path : ("?:\\Windows\\System32\\*", "?:\\Windows\\SysWOW64\\*") and
51 not file.path : (
52 "?:\\WINDOWS\\SysWOW64\\PrintConfig.dll",
53 "?:\\WINDOWS\\system32\\x5lrs.dll",
54 "?:\\WINDOWS\\sysWOW64\\x5lrs.dll",
55 "?:\\WINDOWS\\system32\\PrintConfig.dll",
56 "?:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\*.dll",
57 "?:\\WINDOWS\\system32\\spool\\DRIVERS\\W32X86\\*.dll",
58 "?:\\WINDOWS\\system32\\spool\\PRTPROCS\\x64\\*.dll",
59 "?:\\WINDOWS\\system32\\spool\\{????????-????-????-????-????????????}\\*.dll"
60 )
61'''
62
63
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1068"
68name = "Exploitation for Privilege Escalation"
69reference = "https://attack.mitre.org/techniques/T1068/"
70
71
72[rule.threat.tactic]
73id = "TA0004"
74name = "Privilege Escalation"
75reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Pengsu Cheng and Yazhi Wang of the Trend Micro Research Team detail a recent code execution vulnerability in Microsoft Windows. The bug was originally discovered and reported by Zhipeng Huo (@R3dF09) of Tencent Sec
Read More
Related rules
- Suspicious Print Spooler File Deletion
- Suspicious Print Spooler Point and Print DLL
- Conhost Spawned By Suspicious Parent Process
- Disabling User Account Control via Registry Modification
- Microsoft Exchange Server UM Writing Suspicious Files