Suspicious PrintSpooler Service Executable File Creation
Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/14"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/03/06"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
13information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted
14system is patched.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious PrintSpooler Service Executable File Creation"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25references = [
26 "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
27 "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files",
28]
29risk_score = 73
30rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8"
31severity = "high"
32tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37file where host.os.type == "windows" and event.type == "creation" and
38 process.name : "spoolsv.exe" and file.extension : "dll" and
39 file.path : ("?:\\Windows\\System32\\*", "?:\\Windows\\SysWOW64\\*") and
40 not file.path :
41 ("?:\\WINDOWS\\SysWOW64\\PrintConfig.dll",
42 "?:\\WINDOWS\\system32\\x5lrs.dll",
43 "?:\\WINDOWS\\sysWOW64\\x5lrs.dll",
44 "?:\\WINDOWS\\system32\\PrintConfig.dll")
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1068"
52name = "Exploitation for Privilege Escalation"
53reference = "https://attack.mitre.org/techniques/T1068/"
54
55
56[rule.threat.tactic]
57id = "TA0004"
58name = "Privilege Escalation"
59reference = "https://attack.mitre.org/tactics/TA0004/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested
and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested
to @timestamp for this rule to work.