From c6519a2474a55fd279f3e4bb16afdb50bfa2a23e Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 29 Sep 2020 21:11:43 +0200 Subject: [PATCH] [New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity (#146) * [New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity Same rule will detect exploitation behavior of CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 * Update privilege_escalation_printspooler_service_suspicious_file.toml * Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml Co-authored-by: Justin Ibarra * Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml Co-authored-by: Justin Ibarra * Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml Co-authored-by: Justin Ibarra * Added references and changed file name to extension as it was closed as bug issue by endpoint dev team * Update privilege_escalation_printspooler_service_suspicious_file.toml * Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml Co-authored-by: Justin Ibarra Co-authored-by: Justin Ibarra Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ..._printspooler_service_suspicious_file.toml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml new file mode 100644 index 000000000..0f22d05d3 --- /dev/null +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -0,0 +1,47 @@ +[metadata] +creation_date = "2020/08/14" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/08/14" + +[rule] +author = ["Elastic"] +description = """ +Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more +information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted +system is patched. +""" +index = ["winlogbeat-*", "logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License" +name = "Suspicious PrintSpooler Service Executable File Creation" +references = [ + "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", + "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files", +] +risk_score = 74 +rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8" +severity = "high" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.category:file and not event.type:deletion and + process.name:spoolsv.exe and + file.extension:(exe or dll) and + not file.path:(C\:\\Windows\\System32\\spool\\* or C\:\\Windows\\Temp\\* or C\:\\Users\\*) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/"