security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New] Potential privilege escalation via CVE-2022-38028 (#3616)

Browse Source 
* [New] Potential privilege escalation via CVE-2022-38028

https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

* Update privilege_escalation_exploit_cve_202238028.toml

* Update privilege_escalation_exploit_cve_202238028.toml

* Update privilege_escalation_exploit_cve_202238028.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 8f6de1c235)
This commit is contained in:
Samirbous
2024-04-29 15:10:27 +01:00
committed by github-actions[bot]
parent afb974a2f1
commit f1ea5eed21
1 changed files with 59 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/privilege_escalation_exploit_cve_202238028.toml
+59
View File
@@ -0,0 +1,59 @@
[metadata]
creation_date = "2024/04/23"
integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/04/23"
[rule]
author = ["Elastic"]
description = """
Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.
"""
from = "now-9m"
index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential privilege escalation via CVE-2022-38028"
references = [
"https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/"
]
risk_score = 73
rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c"
severity = "high"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "windows" and
file.path : ("?:\\*\\Windows\\system32\\DriVerStoRe\\FiLeRePoSiToRy\\*\\MPDW-constraints.js",
"?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"