Suspicious PrintSpooler Service Executable File Creation

Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/14"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/03/06"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
13information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted
14system is patched.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious PrintSpooler Service Executable File Creation"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25references = [
26    "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
27    "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files",
28]
29risk_score = 73
30rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8"
31severity = "high"
32tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37file where host.os.type == "windows" and event.type == "creation" and
38  process.name : "spoolsv.exe" and file.extension : "dll" and
39  file.path : ("?:\\Windows\\System32\\*", "?:\\Windows\\SysWOW64\\*") and
40  not file.path :
41          ("?:\\WINDOWS\\SysWOW64\\PrintConfig.dll",
42           "?:\\WINDOWS\\system32\\x5lrs.dll",
43           "?:\\WINDOWS\\sysWOW64\\x5lrs.dll",
44           "?:\\WINDOWS\\system32\\PrintConfig.dll")
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1068"
52name = "Exploitation for Privilege Escalation"
53reference = "https://attack.mitre.org/techniques/T1068/"
54
55
56[rule.threat.tactic]
57id = "TA0004"
58name = "Privilege Escalation"
59reference = "https://attack.mitre.org/tactics/TA0004/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

to-top