sigma-rules/rules/_deprecated/privilege_escalation_printspooler_malicious_registry_modification.toml

[metadata]
creation_date = "2021/07/06"
deprecation_date = "2022/03/16"
maturity = "deprecated"
updated_date = "2022/03/16"

[rule]
author = ["Elastic"]
description = """
Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
information refer to CVE-2021-34527 and verify that the impacted system is investigated.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential PrintNightmare Exploit Registry Modification"
references = [
    "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
    "https://github.com/afwu/PrintNightmare",
]
risk_score = 73
rule_id = "6506c9fd-229e-4722-8f0f-69be759afd2a"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
/* This rule is not compatible with Sysmon due to schema issues */

registry where process.name : "spoolsv.exe" and
  (registry.path : "HKLM\\SYSTEM\\ControlSet*\\Control\\Print\\Environments\\Windows*\\Drivers\\Version-3\\mimikatz*\\Data File" or
  (registry.path : "HKLM\\SYSTEM\\ControlSet*\\Control\\Print\\Environments\\Windows*\\Drivers\\Version-3\\*\\Configuration File" and
   registry.data.strings : ("kernelbase.dll", "ntdll.dll", "kernel32.dll", "winhttp.dll", "user32.dll")))
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
name = "Exploitation for Privilege Escalation"
id = "T1068"
reference = "https://attack.mitre.org/techniques/T1068/"


[rule.threat.tactic]
name = "Privilege Escalation"
id = "TA0004"
reference = "https://attack.mitre.org/tactics/TA0004/"