diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml new file mode 100644 index 000000000..a25aab233 --- /dev/null +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2024/04/23" +integration = ["endpoint", "windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/23" + +[rule] +author = ["Elastic"] +description = """ +Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution. +""" +from = "now-9m" +index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Potential privilege escalation via CVE-2022-38028" +references = [ + "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/" +] +risk_score = 73 +rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c" +severity = "high" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and + file.path : ("?:\\*\\Windows\\system32\\DriVerStoRe\\FiLeRePoSiToRy\\*\\MPDW-constraints.js", + "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +