From 89420ae976b5b7efb145341f1a6c0f85bd5236fa Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 7 Jul 2021 18:56:39 +0200 Subject: [PATCH] [New Rule] Potential PrintNightmare Exploitation rules (#1326) * [New Rule] Potential PrintNightmare Exploitation rules * added Potential PrintNightmare File Modification * added spoolsv as process name to narrow more the scope * added Suspicious Print Spooler File Deletion * removed Suspicious Print Driver Registry Modification cuz of potential noise * Update privilege_escalation_printspooler_malicious_registry_modification.toml * Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml Co-authored-by: Justin Ibarra * Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml Co-authored-by: Justin Ibarra * Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml Co-authored-by: Justin Ibarra * adjusted description and added a comment for sysmon compatibility * added FP note and relinted all files * Update rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Justin Ibarra Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...spooler_malicious_driver_file_changes.toml | 50 ++++++++++++++++ ...ooler_malicious_registry_modification.toml | 49 +++++++++++++++ ...printspooler_suspicious_file_deletion.toml | 52 ++++++++++++++++ ...ion_unusual_printspooler_childprocess.toml | 59 +++++++++++++++++++ 4 files changed, 210 insertions(+) create mode 100644 rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml create mode 100644 rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml create mode 100644 rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml create mode 100644 rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml diff --git a/rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml b/rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml new file mode 100644 index 000000000..1aebb2c2e --- /dev/null +++ b/rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2021/07/06" +maturity = "production" +updated_date = "2021/07/06" + +[rule] +author = ["Elastic"] +description = """ +Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit +privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 +and verify that the impacted system is investigated. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential PrintNightmare File Modification" +references = [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/afwu/PrintNightmare", +] +risk_score = 73 +rule_id = "5e87f165-45c2-4b80-bfa5-52822552c997" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +/* This rule is compatible with both Sysmon and Elastic Endpoint */ + +file where process.name : "spoolsv.exe" and + file.name : ("kernelbase.dll", "ntdll.dll", "kernel32.dll", "winhttp.dll", "user32.dll") and + file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +reference = "https://attack.mitre.org/techniques/T1068/" +name = "Exploitation for Privilege Escalation" + + +[rule.threat.tactic] +id = "TA0004" +reference = "https://attack.mitre.org/tactics/TA0004/" +name = "Privilege Escalation" + diff --git a/rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml b/rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml new file mode 100644 index 000000000..06e9208e7 --- /dev/null +++ b/rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2021/07/06" +maturity = "production" +updated_date = "2021/07/06" + +[rule] +author = ["Elastic"] +description = """ +Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more +information refer to CVE-2021-34527 and verify that the impacted system is investigated. +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential PrintNightmare Exploit Registry Modification" +references = [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/afwu/PrintNightmare", +] +risk_score = 73 +rule_id = "6506c9fd-229e-4722-8f0f-69be759afd2a" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +/* This rule is not compatible with Sysmon due to schema issues */ + +registry where process.name : "spoolsv.exe" and + (registry.path : "HKLM\\SYSTEM\\ControlSet*\\Control\\Print\\Environments\\Windows*\\Drivers\\Version-3\\mimikatz*\\Data File" or + (registry.path : "HKLM\\SYSTEM\\ControlSet*\\Control\\Print\\Environments\\Windows*\\Drivers\\Version-3\\*\\Configuration File" and + registry.data.strings : ("kernelbase.dll", "ntdll.dll", "kernel32.dll", "winhttp.dll", "user32.dll"))) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +name = "Exploitation for Privilege Escalation" +id = "T1068" +reference = "https://attack.mitre.org/techniques/T1068/" + + +[rule.threat.tactic] +name = "Privilege Escalation" +id = "TA0004" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml new file mode 100644 index 000000000..5da9302e5 --- /dev/null +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2021/07/06" +maturity = "production" +updated_date = "2021/07/06" + +[rule] +author = ["Elastic"] +description = """ +Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful +privilege escalation via Print Spooler service related vulnerabilities. +""" +false_positives = [ + """ + Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as + manufacturer and signature information. + """, +] +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Print Spooler File Deletion" +references = [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/afwu/PrintNightmare", +] +risk_score = 47 +rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where event.type : "deletion" and + not process.name : ("spoolsv.exe", "dllhost.exe", "explorer.exe") and + file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.dll" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +reference = "https://attack.mitre.org/techniques/T1068/" +name = "Exploitation for Privilege Escalation" + + +[rule.threat.tactic] +id = "TA0004" +reference = "https://attack.mitre.org/tactics/TA0004/" +name = "Privilege Escalation" diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml new file mode 100644 index 000000000..d17e92911 --- /dev/null +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2021/07/06" +maturity = "production" +updated_date = "2021/07/06" + +[rule] +author = ["Elastic"] +description = """ +Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege +escalation vulnerabilities related to the Printing Service on Windows. +""" +false_positives = [ + """ + Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature + information. + """, +] +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Unusual Print Spooler Child Process" +references = [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/afwu/PrintNightmare", +] +risk_score = 47 +rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and + process.parent.name : "spoolsv.exe" and user.id : "S-1-5-18" and + + /* exclusions for FP control below */ + not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and + not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and + not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and + not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*program files*", "*route add*")) and + not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and + not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +reference = "https://attack.mitre.org/techniques/T1068/" +name = "Exploitation for Privilege Escalation" +id = "T1068" + + +[rule.threat.tactic] +reference = "https://attack.mitre.org/tactics/TA0004/" +name = "Privilege Escalation" +id = "TA0004"