CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
Sigma rule (View on GitHub)
1title: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
2id: 7ec912f2-5175-4868-b811-ec13ad0f8567
3status: test
4description: |
5 Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension.
6 This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
7references:
8 - https://windows-internals.com/printdemon-cve-2020-1048/
9author: EagleEye Team, Florian Roth (Nextron Systems), NVISO
10date: 2020-05-13
11modified: 2024-03-25
12tags:
13 - attack.persistence
14 - attack.execution
15 - attack.defense-evasion
16 - attack.t1112
17 - cve.2020-1048
18logsource:
19 product: windows
20 category: registry_set
21detection:
22 selection:
23 TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Ports'
24 Details|contains:
25 - '.bat'
26 - '.com'
27 - '.dll'
28 - '.exe'
29 - '.ps1'
30 - '.vbe'
31 - '.vbs'
32 - 'C:'
33 condition: selection
34falsepositives:
35 - New printer port install on host
36level: high
References
Related rules
- Control Panel Items
- OilRig APT Activity
- OilRig APT Registry Persistence
- OilRig APT Schedule Task Persistence - Security
- OilRig APT Schedule Task Persistence - System