Merge pull request #797 from NVISO-BE/sysmon_cve-2020-1048

Changes to sysmon_cve-2020-1048
2020-05-26 13:21:04 +02:00
parent ce1f46346f 48c5f2ed09
commit c1f4787566
1 changed files with 4 additions and 3 deletions
@@ -2,9 +2,9 @@ title: Suspicious New Printer Ports in Registry (CVE-2020-1048)
 id: 7ec912f2-5175-4868-b811-ec13ad0f8567
 status: experimental
 description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048
-author: EagleEye Team, Florian Roth
+author: EagleEye Team, Florian Roth, NVISO
 date: 2020/05/13
-modified: 2020/05/23
+modified: 2020/05/26
 references:
    - https://windows-internals.com/printdemon-cve-2020-1048/
 tags:
@@ -23,10 +23,11 @@ detection:
            - SetValue
            - DeleteValue
            - CreateValue
-        TargetObject|contains:
+        Details|contains:
            - '.dll'
            - '.exe'
            - '.bat'
+            - '.com'
            - 'C:'
    condition: selection
 falsepositives: