Suspicious PrintSpooler Service Executable File Creation
Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/14"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/10"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
11information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted
12system is patched.
13"""
14from = "now-9m"
15index = [
16 "winlogbeat-*",
17 "logs-endpoint.events.file-*",
18 "logs-windows.sysmon_operational-*",
19 "endgame-*",
20 "logs-m365_defender.event-*",
21 "logs-sentinel_one_cloud_funnel.*",
22]
23language = "kuery"
24license = "Elastic License v2"
25name = "Suspicious PrintSpooler Service Executable File Creation"
26references = [
27 "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
28 "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files",
29]
30risk_score = 21
31rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8"
32severity = "low"
33tags = [
34 "Domain: Endpoint",
35 "OS: Windows",
36 "Use Case: Threat Detection",
37 "Tactic: Privilege Escalation",
38 "Data Source: Elastic Endgame",
39 "Use Case: Vulnerability",
40 "Data Source: Elastic Defend",
41 "Data Source: Sysmon",
42 "Data Source: Microsoft Defender for Endpoint",
43 "Data Source: SentinelOne",
44]
45timestamp_override = "event.ingested"
46type = "new_terms"
47
48query = '''
49event.category : "file" and host.os.type : "windows" and event.type : "creation" and
50 process.name : "spoolsv.exe" and file.extension : "dll"
51'''
52
53[[rule.filters]]
54[rule.filters.meta]
55negate = false
56[rule.filters.query.wildcard."file.path"]
57"case_insensitive" = true
58"value" = "?:\\\\Windows\\\\Sys?????\\\\*"
59
60[[rule.filters]]
61[rule.filters.meta]
62negate = true
63[rule.filters.query.wildcard."file.path"]
64"case_insensitive" = true
65"value" = "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll"
66
67[[rule.filters]]
68[rule.filters.meta]
69negate = true
70[rule.filters.query.wildcard."file.path"]
71"case_insensitive" = true
72"value" = "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"
73
74[[rule.filters]]
75[rule.filters.meta]
76negate = true
77[rule.filters.query.wildcard."file.path"]
78"case_insensitive" = true
79"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll"
80
81[[rule.filters]]
82[rule.filters.meta]
83negate = true
84[rule.filters.query.wildcard."file.path"]
85"case_insensitive" = true
86"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll"
87
88[[rule.filters]]
89[rule.filters.meta]
90negate = true
91[rule.filters.query.wildcard."file.path"]
92"case_insensitive" = true
93"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll"
94
95[[rule.filters]]
96[rule.filters.meta]
97negate = true
98[rule.filters.query.wildcard."file.path"]
99"case_insensitive" = true
100"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll"
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1068"
106name = "Exploitation for Privilege Escalation"
107reference = "https://attack.mitre.org/techniques/T1068/"
108
109
110[rule.threat.tactic]
111id = "TA0004"
112name = "Privilege Escalation"
113reference = "https://attack.mitre.org/tactics/TA0004/"
114
115[rule.new_terms]
116field = "new_terms_fields"
117value = ["host.id", "file.path"]
118[[rule.new_terms.history_window_start]]
119field = "history_window_start"
120value = "now-14d"
References
Related rules
- First Time Seen Removable Device
- Potential Ransomware Behavior - High count of Readme files by System
- Rare SMB Connection to the Internet
- Svchost spawning Cmd
- Suspicious Print Spooler SPL File Created