From 57c8e63acd8a44d79f509142c67d71326d849ef7 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Sat, 23 May 2020 09:09:58 +0200
Subject: [PATCH 1/2] refactore: split up rule for CVE-2020-1048 into 2 rules

---
 .../win_exploit_cve_2020_1048.yml             | 31 +++++++++++++++++++
 rules/windows/sysmon/sysmon_cve-2020-1048.yml | 27 ++++------------
 2 files changed, 37 insertions(+), 21 deletions(-)
 create mode 100644 rules/windows/process_creation/win_exploit_cve_2020_1048.yml

diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml
new file mode 100644
index 000000000..8727efafa
--- /dev/null
+++ b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml
@@ -0,0 +1,31 @@
+title: Suspicious PrinterPorts Creation (CVE-2020-1048)
+id: cc08d590-8b90-413a-aff6-31d1a99678d7
+status: experimental
+description: Detects new commands that add new printer port which point to suspicious file
+author: EagleEye Team, Florian Roth
+date: 2020/05/13
+modified: 2020/05/23
+references:
+    - https://windows-internals.com/printdemon-cve-2020-1048/
+tags:
+    - attack.persistence
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine|contains|all: 
+            - 'Add-PrinterPort -Name'
+            - '.dll'
+    selection2:
+        CommandLine|contains|all: 
+            - 'Add-PrinterPort -Name'
+            - '.exe'
+    selection3:
+        CommandLine|contains:
+            - 'Generic / Text Only'
+    condition: 1 of them
+falsepositives:
+    - New printer port install on host
+level: high
diff --git a/rules/windows/sysmon/sysmon_cve-2020-1048.yml b/rules/windows/sysmon/sysmon_cve-2020-1048.yml
index 491590211..d270a4f5d 100644
--- a/rules/windows/sysmon/sysmon_cve-2020-1048.yml
+++ b/rules/windows/sysmon/sysmon_cve-2020-1048.yml
@@ -1,20 +1,15 @@
-action: global
-title: Suspicious PrinterPorts Created (CVE-2020-1048)
+title: Suspicious New Printer Ports in Registry (CVE-2020-1048)
 id: 7ec912f2-5175-4868-b811-ec13ad0f8567
 status: experimental
-description: Detects new registry printer port was created or powershell command add new printer port which point to suspicious file
+description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048
 author: EagleEye Team, Florian Roth
 date: 2020/05/13
-modified: 2020/05/15
+modified: 2020/05/23
 references:
     - https://windows-internals.com/printdemon-cve-2020-1048/
 tags:
     - attack.persistence
     - attack.execution
-falsepositives:
-    - New printer port install on host
-level: high
----
 logsource:
     service: sysmon
     product: windows
@@ -33,16 +28,6 @@ detection:
             - '.exe'
             - 'C:'
     condition: selection
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine|contains: 'Add-PrinterPort -Name'
-    selection2:
-        CommandLine|contains:
-            - '.dll'
-            - '.exe'
-    condition: selection1 and selection2
-
+falsepositives:
+    - New printer port install on host
+level: high
\ No newline at end of file

From 34006d079431ec5d5892174bf4a1a4f0a30fd1f9 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Sat, 23 May 2020 09:16:19 +0200
Subject: [PATCH 2/2] refactor: simplified and extended expression in
 CVE-2020-1048 rule

---
 .../process_creation/win_exploit_cve_2020_1048.yml     | 10 +++++-----
 rules/windows/sysmon/sysmon_cve-2020-1048.yml          |  1 +
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml
index 8727efafa..9f11649fa 100644
--- a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml
@@ -15,17 +15,17 @@ logsource:
     product: windows
 detection:
     selection1:
-        CommandLine|contains|all: 
+        CommandLine|contains: 
             - 'Add-PrinterPort -Name'
-            - '.dll'
     selection2:
-        CommandLine|contains|all: 
-            - 'Add-PrinterPort -Name'
+        CommandLine|contains: 
             - '.exe'
+            - '.dll'
+            - '.bat'
     selection3:
         CommandLine|contains:
             - 'Generic / Text Only'
-    condition: 1 of them
+    condition: ( selection1 and selection2 ) or selection3
 falsepositives:
     - New printer port install on host
 level: high
diff --git a/rules/windows/sysmon/sysmon_cve-2020-1048.yml b/rules/windows/sysmon/sysmon_cve-2020-1048.yml
index d270a4f5d..866b77756 100644
--- a/rules/windows/sysmon/sysmon_cve-2020-1048.yml
+++ b/rules/windows/sysmon/sysmon_cve-2020-1048.yml
@@ -26,6 +26,7 @@ detection:
         TargetObject|contains:
             - '.dll'
             - '.exe'
+            - '.bat'
             - 'C:'
     condition: selection
 falsepositives: