Suspicious Print Spooler File Deletion

calendar Sep 5, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Privilege Escalation Data Source: Elastic Endgame Use Case: Vulnerability Data Source: Elastic Defend  ·
Share on: linkedin copy

Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/07/06"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful
13privilege escalation via Print Spooler service related vulnerabilities.
14"""
15false_positives = [
16    """
17    Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as
18    manufacturer and signature information.
19    """,
20]
21from = "now-9m"
22index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
23language = "eql"
24license = "Elastic License v2"
25name = "Suspicious Print Spooler File Deletion"
26note = """## Setup
27
28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
29"""
30references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"]
31risk_score = 47
32rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799"
33severity = "medium"
34tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39file where host.os.type == "windows" and event.type : "deletion" and
40 not process.name : ("spoolsv.exe", "dllhost.exe", "explorer.exe") and
41 file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.dll"
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1068"
49name = "Exploitation for Privilege Escalation"
50reference = "https://attack.mitre.org/techniques/T1068/"
51
52
53[rule.threat.tactic]
54id = "TA0004"
55name = "Privilege Escalation"
56reference = "https://attack.mitre.org/tactics/TA0004/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

References

Related rules

to-top