Samirbous
89420ae976
* [New Rule] Potential PrintNightmare Exploitation rules * added Potential PrintNightmare File Modification * added spoolsv as process name to narrow more the scope * added Suspicious Print Spooler File Deletion * removed Suspicious Print Driver Registry Modification cuz of potential noise * Update privilege_escalation_printspooler_malicious_registry_modification.toml * Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * adjusted description and added a comment for sysmon compatibility * added FP note and relinted all files * Update rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
51 lines
1.5 KiB
TOML
51 lines
1.5 KiB
TOML
[metadata]
|
|
creation_date = "2021/07/06"
|
|
maturity = "production"
|
|
updated_date = "2021/07/06"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit
|
|
privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527
|
|
and verify that the impacted system is investigated.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Potential PrintNightmare File Modification"
|
|
references = [
|
|
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
|
|
"https://github.com/afwu/PrintNightmare",
|
|
]
|
|
risk_score = 73
|
|
rule_id = "5e87f165-45c2-4b80-bfa5-52822552c997"
|
|
severity = "high"
|
|
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
/* This rule is compatible with both Sysmon and Elastic Endpoint */
|
|
|
|
file where process.name : "spoolsv.exe" and
|
|
file.name : ("kernelbase.dll", "ntdll.dll", "kernel32.dll", "winhttp.dll", "user32.dll") and
|
|
file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*"
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1068"
|
|
reference = "https://attack.mitre.org/techniques/T1068/"
|
|
name = "Exploitation for Privilege Escalation"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0004"
|
|
reference = "https://attack.mitre.org/tactics/TA0004/"
|
|
name = "Privilege Escalation"
|
|
|