CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
Sigma rule (View on GitHub)
1title: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
2id: 7ec912f2-5175-4868-b811-ec13ad0f8567
3status: test
4description: |
5 Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension.
6 This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
7references:
8 - https://windows-internals.com/printdemon-cve-2020-1048/
9author: EagleEye Team, Florian Roth (Nextron Systems), NVISO
10date: 2020/05/13
11modified: 2024/03/25
12tags:
13 - attack.persistence
14 - attack.execution
15 - attack.defense_evasion
16 - attack.t1112
17 - cve.2020.1048
18logsource:
19 product: windows
20 category: registry_set
21detection:
22 selection:
23 TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Ports'
24 Details|contains:
25 - '.bat'
26 - '.com'
27 - '.dll'
28 - '.exe'
29 - '.ps1'
30 - '.vbe'
31 - '.vbs'
32 - 'C:'
33 condition: selection
34falsepositives:
35 - New printer port install on host
36level: high
References
-
We promised you there would be a Part 1 to FaxHell, and with today’s Patch Tuesday and CVE-2020-1048, we can finally talk about some of the very exciting technical details of the Windows Print Spoo...
Read More
Related rules
- RDP Sensitive Settings Changed
- RDP Sensitive Settings Changed to Zero
- OilRig APT Schedule Task Persistence - System
- Suspicious Execution via macOS Script Editor
- Tasks Folder Evasion