CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
Sigma rule (View on GitHub)
1title: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
2id: 7ec912f2-5175-4868-b811-ec13ad0f8567
3status: test
4description: |
5 Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension.
6 This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
7references:
8 - https://windows-internals.com/printdemon-cve-2020-1048/
9author: EagleEye Team, Florian Roth (Nextron Systems), NVISO
10date: 2020-05-13
11modified: 2024-03-25
12tags:
13 - attack.persistence
14 - attack.execution
15 - attack.defense-evasion
16 - attack.t1112
17 - cve.2020-1048
18 - detection.emerging-threats
19logsource:
20 product: windows
21 category: registry_set
22detection:
23 selection:
24 TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Ports'
25 Details|contains:
26 - '.bat'
27 - '.com'
28 - '.dll'
29 - '.exe'
30 - '.ps1'
31 - '.vbe'
32 - '.vbs'
33 - 'C:'
34 condition: selection
35falsepositives:
36 - New printer port install on host
37level: high
References
-
We promised you there would be a Part 1 to FaxHell, and with today’s Patch Tuesday and CVE-2020-1048, we can finally talk about some of the very exciting technical details of the Windows Print Spoo...
Read More
Related rules
- Suspicious PrinterPorts Creation (CVE-2020-1048)
- UNC4841 - Email Exfiltration File Pattern
- Writing Of Malicious Files To The Fonts Folder
- Kapeka Backdoor Configuration Persistence
- Kapeka Backdoor Loaded Via Rundll32.EXE