From 0575fa8d811813bb8e6daec2ffbc59301ef58639 Mon Sep 17 00:00:00 2001
From: ecco <none@none.com>
Date: Fri, 15 May 2020 07:25:05 -0400
Subject: [PATCH] fix CVE 2020-1048 rule

---
 rules/windows/sysmon/sysmon_cve-2020-1048.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_cve-2020-1048.yml b/rules/windows/sysmon/sysmon_cve-2020-1048.yml
index a171d24f5..8c3a15711 100644
--- a/rules/windows/sysmon/sysmon_cve-2020-1048.yml
+++ b/rules/windows/sysmon/sysmon_cve-2020-1048.yml
@@ -1,5 +1,5 @@
 action: global
-title: Suspicious PrinterPorts Created
+title: Suspicious PrinterPorts Created (CVE-2020-1048)
 id: 7ec912f2-5175-4868-b811-ec13ad0f8567
 status: experimental
 description: Detects new registry printer port was created or powershell command add new printer port which point to suspicious file
@@ -26,7 +26,10 @@ detection:
             - 12
             - 13 
         TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports'
-        EventType: CreateKey
+        EventType:
+            - SetValue
+            - DeleteValue
+            - CreateValue
         TargetObject|contains:
             - '.dll'
             - '.exe'