Suspicious PrintSpooler Service Executable File Creation

Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/14"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/01/09"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
13information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted
14system is patched.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious PrintSpooler Service Executable File Creation"
21references = [
22    "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
23    "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files",
24]
25risk_score = 73
26rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8"
27setup = """
28
29If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
30events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
31Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
32`event.ingested` to @timestamp.
33For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
34"""
35severity = "high"
36tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41file where host.os.type == "windows" and event.type == "creation" and
42  process.name : "spoolsv.exe" and file.extension : "dll" and
43  file.path : ("?:\\Windows\\System32\\*", "?:\\Windows\\SysWOW64\\*") and
44  not file.path : (
45    "?:\\WINDOWS\\SysWOW64\\PrintConfig.dll",
46    "?:\\WINDOWS\\system32\\x5lrs.dll",
47    "?:\\WINDOWS\\sysWOW64\\x5lrs.dll",
48    "?:\\WINDOWS\\system32\\PrintConfig.dll",
49    "?:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\*.dll",
50    "?:\\WINDOWS\\system32\\spool\\DRIVERS\\W32X86\\*.dll",
51    "?:\\WINDOWS\\system32\\spool\\PRTPROCS\\x64\\*.dll",
52    "?:\\WINDOWS\\system32\\spool\\{????????-????-????-????-????????????}\\*.dll"
53  )
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1068"
61name = "Exploitation for Privilege Escalation"
62reference = "https://attack.mitre.org/techniques/T1068/"
63
64
65[rule.threat.tactic]
66id = "TA0004"
67name = "Privilege Escalation"
68reference = "https://attack.mitre.org/tactics/TA0004/"

References

Related rules

to-top