Suspicious PrintSpooler Service Executable File Creationedit
Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE’s - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
- endgame-*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Privilege Escalation
- Data Source: Elastic Endgame
- Use Case: Vulnerability
- Data Source: Elastic Defend
Version: 106
Rule authors:
- Elastic
Rule license: Elastic License v2
Setupedit
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define event.ingested
and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
event.ingested
to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
Rule queryedit
file where host.os.type == "windows" and event.type == "creation" and process.name : "spoolsv.exe" and file.extension : "dll" and file.path : ("?:\\Windows\\System32\\*", "?:\\Windows\\SysWOW64\\*") and not file.path : ( "?:\\WINDOWS\\SysWOW64\\PrintConfig.dll", "?:\\WINDOWS\\system32\\x5lrs.dll", "?:\\WINDOWS\\sysWOW64\\x5lrs.dll", "?:\\WINDOWS\\system32\\PrintConfig.dll", "?:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\*.dll", "?:\\WINDOWS\\system32\\spool\\DRIVERS\\W32X86\\*.dll", "?:\\WINDOWS\\system32\\spool\\PRTPROCS\\x64\\*.dll", "?:\\WINDOWS\\system32\\spool\\{????????-????-????-????-????????????}\\*.dll" )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Exploitation for Privilege Escalation
- ID: T1068
- Reference URL: https://attack.mitre.org/techniques/T1068/