Suspicious PrinterPorts Creation (CVE-2020-1048)

 1title: Suspicious PrinterPorts Creation (CVE-2020-1048)
 2id: cc08d590-8b90-413a-aff6-31d1a99678d7
 3status: test
 4description: Detects new commands that add new printer port which point to suspicious file
 5references:
 6    - https://windows-internals.com/printdemon-cve-2020-1048/
 7author: EagleEye Team, Florian Roth
 8date: 2020/05/13
 9modified: 2021/11/27
10tags:
11    - attack.persistence
12    - attack.execution
13    - attack.t1059.001
14    - cve.2020.1048
15    - detection.emerging_threats
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection1:
21        CommandLine|contains: 'Add-PrinterPort -Name'
22    selection2:
23        CommandLine|contains:
24            - '.exe'
25            - '.dll'
26            - '.bat'
27    selection3:
28        CommandLine|contains: 'Generic / Text Only'
29    condition: (selection1 and selection2) or selection3
30falsepositives:
31    - New printer port install on host
32level: high

References

• PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048 & more) – Winsider Seminars & Solutions Inc.

  

  We promised you there would be a Part 1 to FaxHell, and with today’s Patch Tuesday and CVE-2020-1048, we can finally talk about some of the very exciting technical details of the Windows Print Spoo...

  
  Read More

Related rules

• Exploited CVE-2020-10189 Zoho ManageEngine
• Greenbug Espionage Group Indicators
• Operation Wocao Activity
• Operation Wocao Activity - Security
• Potential Emotet Activity