Suspicious PrintSpooler Service Executable File Creation
Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/14"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
13information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted
14system is patched.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious PrintSpooler Service Executable File Creation"
21references = [
22 "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
23 "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files",
24]
25risk_score = 73
26rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8"
27setup = """## Setup
28
29If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
30events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
31Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
32`event.ingested` to @timestamp.
33For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
34"""
35severity = "high"
36tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41file where host.os.type == "windows" and event.type == "creation" and
42 process.name : "spoolsv.exe" and file.extension : "dll" and
43 file.path : ("?:\\Windows\\System32\\*", "?:\\Windows\\SysWOW64\\*") and
44 not file.path : (
45 "?:\\WINDOWS\\SysWOW64\\PrintConfig.dll",
46 "?:\\WINDOWS\\system32\\x5lrs.dll",
47 "?:\\WINDOWS\\sysWOW64\\x5lrs.dll",
48 "?:\\WINDOWS\\system32\\PrintConfig.dll",
49 "?:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\*.dll",
50 "?:\\WINDOWS\\system32\\spool\\DRIVERS\\W32X86\\*.dll",
51 "?:\\WINDOWS\\system32\\spool\\PRTPROCS\\x64\\*.dll",
52 "?:\\WINDOWS\\system32\\spool\\{????????-????-????-????-????????????}\\*.dll"
53 )
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1068"
61name = "Exploitation for Privilege Escalation"
62reference = "https://attack.mitre.org/techniques/T1068/"
63
64
65[rule.threat.tactic]
66id = "TA0004"
67name = "Privilege Escalation"
68reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Pengsu Cheng and Yazhi Wang of the Trend Micro Research Team detail a recent code execution vulnerability in Microsoft Windows. The bug was originally discovered and reported by Zhipeng Huo (@R3dF09) of Tencent Sec
Read More
Related rules
- Suspicious Print Spooler File Deletion
- Suspicious Print Spooler Point and Print DLL
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of a new GPO Scheduled Task or Service
- Disabling User Account Control via Registry Modification