Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVEs - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.
Rule type: eql
Risk score: 73
Runs every: 5m
Maximum alerts per execution: 100
- Threat Detection
- Privilege Escalation
Rule license: Elastic License v2
## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
file where event.type != "deletion" and process.name : "spoolsv.exe" and file.extension : ("exe", "dll") and not file.path : ("?:\\Windows\\System32\\spool\\*", "?:\\Windows\\Temp\\*", "?:\\Users\\*")
Framework: MITRE ATT&CKTM