From f1ea5eed218165aa9c1d91dbd89ee2a851766264 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 29 Apr 2024 15:10:27 +0100 Subject: [PATCH] [New] Potential privilege escalation via CVE-2022-38028 (#3616) * [New] Potential privilege escalation via CVE-2022-38028 https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ * Update privilege_escalation_exploit_cve_202238028.toml * Update privilege_escalation_exploit_cve_202238028.toml * Update privilege_escalation_exploit_cve_202238028.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit 8f6de1c235fb0dc249b8d2784f1a9f198ec15882) --- ...lege_escalation_exploit_cve_202238028.toml | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 rules/windows/privilege_escalation_exploit_cve_202238028.toml diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml new file mode 100644 index 000000000..a25aab233 --- /dev/null +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2024/04/23" +integration = ["endpoint", "windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/23" + +[rule] +author = ["Elastic"] +description = """ +Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution. +""" +from = "now-9m" +index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Potential privilege escalation via CVE-2022-38028" +references = [ + "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/" +] +risk_score = 73 +rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c" +severity = "high" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and + file.path : ("?:\\*\\Windows\\system32\\DriVerStoRe\\FiLeRePoSiToRy\\*\\MPDW-constraints.js", + "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +