[New Rule] Potential PrintNightmare Exploitation rules (#1326)

* [New Rule] Potential PrintNightmare Exploitation rules

* added Potential PrintNightmare File Modification

* added spoolsv as process name to narrow more the scope

* added Suspicious Print Spooler File Deletion

* removed Suspicious Print Driver Registry Modification cuz of potential noise

* Update privilege_escalation_printspooler_malicious_registry_modification.toml

* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* adjusted description and added a comment for sysmon compatibility

* added FP note and relinted all files

* Update rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml

@@ -0,0 +1,50 @@
+[metadata]
+creation_date = "2021/07/06"
+maturity = "production"
+updated_date = "2021/07/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit
+privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527
+and verify that the impacted system is investigated.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential PrintNightmare File Modification"
+references = [
+    "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+    "https://github.com/afwu/PrintNightmare",
+]
+risk_score = 73
+rule_id = "5e87f165-45c2-4b80-bfa5-52822552c997"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+/* This rule is compatible with both Sysmon and Elastic Endpoint */
+
+file where process.name : "spoolsv.exe" and 
+ file.name : ("kernelbase.dll", "ntdll.dll", "kernel32.dll", "winhttp.dll", "user32.dll") and
+ file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1068"
+reference = "https://attack.mitre.org/techniques/T1068/"
+name = "Exploitation for Privilege Escalation"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+name = "Privilege Escalation"
+

rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml

@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2021/07/06"
+maturity = "production"
+updated_date = "2021/07/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
+information refer to CVE-2021-34527 and verify that the impacted system is investigated.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential PrintNightmare Exploit Registry Modification"
+references = [
+    "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+    "https://github.com/afwu/PrintNightmare",
+]
+risk_score = 73
+rule_id = "6506c9fd-229e-4722-8f0f-69be759afd2a"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+/* This rule is not compatible with Sysmon due to schema issues */
+
+registry where process.name : "spoolsv.exe" and
+  (registry.path : "HKLM\\SYSTEM\\ControlSet*\\Control\\Print\\Environments\\Windows*\\Drivers\\Version-3\\mimikatz*\\Data File" or
+  (registry.path : "HKLM\\SYSTEM\\ControlSet*\\Control\\Print\\Environments\\Windows*\\Drivers\\Version-3\\*\\Configuration File" and
+   registry.data.strings : ("kernelbase.dll", "ntdll.dll", "kernel32.dll", "winhttp.dll", "user32.dll")))
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+name = "Exploitation for Privilege Escalation"
+id = "T1068"
+reference = "https://attack.mitre.org/techniques/T1068/"
+
+
+[rule.threat.tactic]
+name = "Privilege Escalation"
+id = "TA0004"
+reference = "https://attack.mitre.org/tactics/TA0004/"

rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml

@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2021/07/06"
+maturity = "production"
+updated_date = "2021/07/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful
+privilege escalation via Print Spooler service related vulnerabilities.
+"""
+false_positives = [
+    """
+    Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as
+    manufacturer and signature information.
+    """,
+]
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious Print Spooler File Deletion"
+references = [
+    "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+    "https://github.com/afwu/PrintNightmare",
+]
+risk_score = 47
+rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+file where event.type : "deletion" and
+ not process.name : ("spoolsv.exe", "dllhost.exe", "explorer.exe") and
+ file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.dll"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1068"
+reference = "https://attack.mitre.org/techniques/T1068/"
+name = "Exploitation for Privilege Escalation"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+name = "Privilege Escalation"

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

@@ -0,0 +1,59 @@
+[metadata]
+creation_date = "2021/07/06"
+maturity = "production"
+updated_date = "2021/07/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege
+escalation vulnerabilities related to the Printing Service on Windows.
+"""
+false_positives = [
+    """
+    Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature
+    information.
+    """,
+]
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Unusual Print Spooler Child Process"
+references = [
+    "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+    "https://github.com/afwu/PrintNightmare",
+]
+risk_score = 47
+rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and
+ process.parent.name : "spoolsv.exe" and user.id : "S-1-5-18" and
+
+ /* exclusions for FP control below */
+ not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and
+ not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and
+ not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and
+ not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*program files*", "*route add*")) and
+ not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and
+ not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1068/"
+name = "Exploitation for Privilege Escalation"
+id = "T1068"
+
+
+[rule.threat.tactic]
+reference = "https://attack.mitre.org/tactics/TA0004/"
+name = "Privilege Escalation"
+id = "TA0004"