Suspicious PrinterPorts Creation (CVE-2020-1048)
Detects new commands that add new printer port which point to suspicious file
Sigma rule (View on GitHub)
1title: Suspicious PrinterPorts Creation (CVE-2020-1048)
2id: cc08d590-8b90-413a-aff6-31d1a99678d7
3status: test
4description: Detects new commands that add new printer port which point to suspicious file
5references:
6 - https://windows-internals.com/printdemon-cve-2020-1048/
7author: EagleEye Team, Florian Roth
8date: 2020-05-13
9modified: 2021-11-27
10tags:
11 - attack.persistence
12 - attack.execution
13 - attack.t1059.001
14 - cve.2020-1048
15 - detection.emerging-threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection1:
21 CommandLine|contains: 'Add-PrinterPort -Name'
22 selection2:
23 CommandLine|contains:
24 - '.exe'
25 - '.dll'
26 - '.bat'
27 selection3:
28 CommandLine|contains: 'Generic / Text Only'
29 condition: (selection1 and selection2) or selection3
30falsepositives:
31 - New printer port install on host
32level: high
References
-
We promised you there would be a Part 1 to FaxHell, and with today’s Patch Tuesday and CVE-2020-1048, we can finally talk about some of the very exciting technical details of the Windows Print Spoo...
Read More
Related rules
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
- Exploited CVE-2020-10189 Zoho ManageEngine
- Greenbug Espionage Group Indicators
- HackTool - CrackMapExec Execution
- HackTool - Default PowerSploit/Empire Scheduled Task Creation