CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry

Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.

Sigma rule (View on GitHub)

 1title: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
 2id: 7ec912f2-5175-4868-b811-ec13ad0f8567
 3status: test
 4description: |
 5    Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension.
 6    This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.    
 7references:
 8    - https://windows-internals.com/printdemon-cve-2020-1048/
 9author: EagleEye Team, Florian Roth (Nextron Systems), NVISO
10date: 2020-05-13
11modified: 2024-03-25
12tags:
13    - attack.persistence
14    - attack.execution
15    - attack.defense-evasion
16    - attack.t1112
17    - cve.2020-1048
18logsource:
19    product: windows
20    category: registry_set
21detection:
22    selection:
23        TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Ports'
24        Details|contains:
25            - '.bat'
26            - '.com'
27            - '.dll'
28            - '.exe'
29            - '.ps1'
30            - '.vbe'
31            - '.vbs'
32            - 'C:'
33    condition: selection
34falsepositives:
35    - New printer port install on host
36level: high

References

Related rules

to-top