Update v8.18.1
editUpdate v8.18.1
editThis section lists all updates associated with version 8.18.1 of the Fleet integration Prebuilt Security Detection Rules.
| Rule | Description | Status | Version |
|---|---|---|---|
Identifies when an AWS DynamoDB table is scanned by a user who does not typically perform this action. Adversaries may use the Scan operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the Scan action in CloudTrail logs. This is a New Terms rule that only flags when this behavior is observed by the |
new |
3 |
|
Identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the ExportTableToPointInTime action in CloudTrail logs. This is a New Terms rule that only flags when this behavior is observed by the |
new |
3 |
|
Microsoft 365 Illicit Consent Grant via Registered Application |
Identifies an Microsoft 365 illicit consent grant request on-behalf-of a registered Entra ID application. Adversaries may create and register an application in Microsoft Entra ID for the purpose of requesting user consent to access resources in Microsoft 365. This is accomplished by tricking a user into granting consent to the application, typically via a pre-made phishing URL. This establishes an OAuth grant that allows the malicious client applocation to access resources in Microsoft 365 on-behalf-of the user. |
new |
3 |
A machine learning job has detected an increase in the execution of privileged commands by a user, suggesting potential privileged access activity. This may indicate an attempt by the user to gain unauthorized access to sensitive or restricted parts of the system. |
new |
3 |
|
A machine learning job has identified an unusually high median command line entropy for privileged commands executed by a user, suggesting possible privileged access activity through command lines. High entropy often indicates that the commands may be obfuscated or deliberately complex, which can be a sign of suspicious or unauthorized use of privileged access. |
new |
3 |
|
A machine learning job has detected an unusual process run for privileged commands by a user, indicating potential privileged access activity. |
new |
3 |
|
A machine learning job has detected an unusually high number of active concurrent sessions initiated by a user, indicating potential privileged access activity. A sudden surge in concurrent active sessions by a user may indicate an attempt to abuse valid credentials for privilege escalation or maintain persistence. Adversaries might be leveraging multiple sessions to execute privileged operations, evade detection, or perform unauthorized actions across different systems. |
new |
3 |
|
A machine learning job has identified a user performing privileged operations in Okta from an uncommon device, indicating potential privileged access activity. This could signal a compromised account, an attacker using stolen credentials, or an insider threat leveraging an unauthorized device to escalate privileges. |
new |
3 |
|
A machine learning job has identified a user performing privileged operations in Okta from an uncommon geographical location, indicating potential privileged access activity. This could suggest a compromised account, unauthorized access, or an attacker using stolen credentials to escalate privileges. |
new |
3 |
|
A machine learning job has identified a user performing privileged operations in Okta from an uncommon source IP, indicating potential privileged access activity. This could suggest an account compromise, misuse of administrative privileges, or an attacker leveraging a new network location to escalate privileges. |
new |
3 |
|
A machine learning job has identified an unusual spike in Okta group application assignment change events, indicating potential privileged access activity. Threat actors might be assigning applications to groups to escalate access, maintain persistence, or facilitate lateral movement within an organization’s environment. |
new |
3 |
|
A machine learning job has identified an unusual spike in Okta group lifecycle change events, indicating potential privileged access activity. Adversaries may be altering group structures to escalate privileges, maintain persistence, or facilitate lateral movement within an organization’s identity management system. |
new |
3 |
|
A machine learning job has identified an unusual spike in Okta group membership events, indicating potential privileged access activity. Attackers or malicious insiders might be adding accounts to privileged groups to escalate their access, potentially leading to unauthorized actions or data breaches. |
new |
3 |
|
A machine learning job has identified an unusual spike in Okta group privilege change events, indicating potential privileged access activity. Attackers might be elevating privileges by adding themselves or compromised accounts to high-privilege groups, enabling further access or persistence. |
new |
3 |
|
A machine learning job has identified an unusual spike in Okta user lifecycle management change events, indicating potential privileged access activity. Threat actors may manipulate user accounts to gain higher access rights or persist within the environment. |
new |
3 |
|
A machine learning job has identified a spike in group management events for a user, indicating potential privileged access activity. The machine learning has flagged an abnormal rise in group management actions (such as adding or removing users from privileged groups), which could point to an attempt to escalate privileges or unauthorized modifications to group memberships. |
new |
3 |
|
A machine learning job has detected a surge in special logon events for a user, indicating potential privileged access activity. A sudden spike in these events could suggest an attacker or malicious insider gaining elevated access, possibly for lateral movement or privilege escalation. |
new |
3 |
|
A machine learning job has detected an unusual increase in special privilege usage events, such as privileged operations and service calls, for a user, suggesting potential unauthorized privileged access. A sudden spike in these events may indicate an attempt to escalate privileges, execute unauthorized tasks, or maintain persistence within a system. |
new |
3 |
|
A machine learning job has identified a spike in user account management events for a user, indicating potential privileged access activity. This indicates an unusual increase in actions related to managing user accounts (such as creating, modifying, or deleting accounts), which could be a sign of an attempt to escalate privileges or unauthorized activity involving account management. |
new |
3 |
|
Unusual Host Name for Windows Privileged Operations Detected |
A machine learning job has identified a user performing privileged operations in Windows from an uncommon device, indicating potential privileged access activity. This could signal a compromised account, an attacker using stolen credentials, or an insider threat leveraging an unauthorized device to escalate privileges. |
new |
3 |
A machine learning job has detected a user accessing an uncommon group name for privileged operations, indicating potential privileged access activity. This indicates that a user has accessed a group name that is unusual for their typical operations, particularly for actions requiring elevated privileges. This could point to an attempt to manipulate group memberships or escalate privileges on a system. |
new |
3 |
|
A machine learning job has identified a user leveraging an uncommon privilege type for privileged operations, indicating potential privileged access activity. This indicates that a user is performing operations requiring elevated privileges but is using a privilege type that is not typically seen in their baseline logs. |
new |
3 |
|
Unusual Region Name for Windows Privileged Operations Detected |
A machine learning job has identified a user performing privileged operations in Windows from an uncommon geographical location, indicating potential privileged access activity. This could suggest a compromised account, unauthorized access, or an attacker using stolen credentials to escalate privileges. |
new |
3 |
Unusual Source IP for Windows Privileged Operations Detected |
A machine learning job has identified a user performing privileged operations in Windows from an uncommon source IP, indicating potential privileged access activity. This could suggest an account compromise, misuse of administrative privileges, or an attacker leveraging a new network location to escalate privileges. |
new |
3 |
This rule monitors for the unusual occurrence of outbound network connections to suspicious top level domains. |
new |
3 |
|
This rule monitors for the unusual occurrence of outbound network connections to suspicious webservice domains. |
new |
3 |
|
Identifies AWS EC2 EBS snaphots being shared with another AWS account or made public. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data. |
update |
5 |
|
Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the |
update |
5 |
|
Identifies |
update |
4 |
|
Identifies when a user is observed for the first time in the last 14 days authenticating using the device code authentication workflow. This authentication workflow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords. |
update |
5 |
|
Deprecated - Azure Virtual Network Device Modified or Deleted |
Identifies when a virtual network device is modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router. Deprecated Notice - This rule has been deprecated in favor of other rules that provide more contextual threat behavior for Azure Virtual Network. |
update |
105 |
Microsoft Entra ID Illicit Consent Grant via Registered Application |
Identifies an illicit consent grant request on-behalf-of a registered Entra ID application. Adversaries may create and register an application in Microsoft Entra ID for the purpose of requesting user consent to access resources. This is accomplished by tricking a user into granting consent to the application, typically via a pre-made phishing URL. This establishes an OAuth grant that allows the malicious client applocation to access resources on-behalf-of the user. |
update |
216 |
Identifies a modification to a conditional access policy (CAP) in Microsoft Entra ID. Adversaries may modify existing CAPs to loosen access controls and maintain persistence in the environment with a compromised identity or entity. |
update |
106 |
|
Detects patterns indicative of Denial-of-Service (DoS) attacks on machine learning (ML) models, focusing on unusually high volume and frequency of requests or patterns of requests that are known to cause performance degradation or service disruption, such as large input sizes or rapid API calls. |
update |
2 |
|
Detects when Azure OpenAI requests result in zero response length, potentially indicating issues in output handling that might lead to security exploits such as data leaks or code execution. This can occur in cases where the API fails to handle outputs correctly under certain input conditions. |
update |
2 |
|
Monitors for suspicious activities that may indicate theft or unauthorized duplication of machine learning (ML) models, such as unauthorized API calls, atypical access patterns, or large data transfers that are unusual during model interactions. |
update |
2 |
|
Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature detections only, and does not include prevention alerts. |
update |
5 |
|
Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature preventions only, and does not include detection only alerts. |
update |
4 |
|
Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts. |
update |
108 |
|
Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to immediately begin investigating your Endpoint behavior alerts. This rule identifies Elastic Defend behavior detections only, and does not include prevention alerts. |
update |
5 |
|
Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to immediately begin investigating your Endpoint behavior alerts. This rule identifies Elastic Defend behavior preventions only, and does not include detection only alerts. |
update |
5 |
|
Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file detections only, and does not include prevention alerts. |
update |
5 |
|
Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file preventions only, and does not include detection only alerts. |
update |
5 |
|
Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware detections only, and does not include prevention alerts. |
update |
5 |
|
Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware preventions only, and does not include detection only alerts. |
update |
5 |
|
Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days. |
update |
110 |
|
Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms. |
update |
209 |
|
A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores.These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. |
update |
110 |
|
A machine learning job combination has identified a parent process with one or more suspicious Windows processes that exhibit unusually high malicious probability scores. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. |
update |
110 |
|
A machine learning job combination has identified a user with one or more suspicious Windows processes that exhibit unusually high malicious probability scores. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. |
update |
110 |
|
High Number of Egress Network Connections from Unusual Executable |
This rule detects a high number of egress network connections from an unusual executable on a Linux system. This could indicate a command and control (C2) communication attempt, a brute force attack via a malware infection, or other malicious activity. ES |
QL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert. |
update |
3 |
This rule detects the deletion of the authorized_keys or authorized_keys2 files on Linux systems. These files are used to store public keys for SSH authentication. Unauthorized deletion of these files can be an indicator of an attacker removing access to the system, and may be a precursor to further malicious activity. |
update |
|
3 |
This rule leverages ES |
QL to detect unusual base64 encoding/decoding activity on Linux systems. Attackers may use base64 encoding/decoding to obfuscate data, such as command and control traffic or payloads, to evade detection by host- or network-based security controls. ES |
|
QL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert. |
update |
3 |
|
This rule detects when a base64 decoded payload is piped to an interpreter on Linux systems. Adversaries may use base64 encoding to obfuscate data and pipe it to an interpreter to execute malicious code. This technique may be used to evade detection by host- or network-based security controls. |
update |
3 |
|
This rule detects the execution of kill, pkill, and killall commands on Linux systems. These commands are used to terminate processes on a system. Attackers may use these commands to kill security tools or other processes to evade detection or disrupt system operations. |
update |
3 |
|
This rule detects the creation of files in the /var/log/ directory via process executables located in world-writeable locations or via hidden processes. Attackers may attempt to hide their activities by creating files in the /var/log/ directory, which is commonly used for logging system events. |
update |
3 |
|
This rule detects potential Docker socket enumeration activity by monitoring processes that attempt to interact with the Docker socket file (/var/run/docker.sock). Docker socket enumeration is a common technique used by attackers to interact with the Docker daemon and perform various operations, such as creating, starting, stopping, and removing containers. Attackers may abuse Docker socket enumeration to gain unauthorized access to the host system, escalate privileges, or move laterally within the environment. |
update |
3 |
|
This rule detects potential port scanning activity from a compromised host. Port scanning is a common reconnaissance technique used by attackers to identify open ports and services on a target system. A compromised host may exhibit port scanning behavior when an attacker is attempting to map out the network topology, identify vulnerable services, or prepare for further exploitation. This rule identifies potential port scanning activity by monitoring network connection attempts from a single host to a large number of ports within a short time frame. ES |
QL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert. |
update |
3 |
This rule detects potential subnet scanning activity from a compromised host. Subnet scanning is a common reconnaissance technique used by attackers to identify live hosts within a network range. A compromised host may exhibit subnet scanning behavior when an attacker is attempting to map out the network topology, identify vulnerable hosts, or prepare for further exploitation. This rule identifies potential subnet scanning activity by monitoring network connection attempts from a single host to a large number of hosts within a short time frame. ES |
QL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert. |
update |
|
3 |
This rule leverages ES |
QL to detect the execution of unusual file transfer utilities on Linux systems. Attackers may use these utilities to exfiltrate data from a compromised system. ES |
|
QL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert. |
update |
3 |
|
This detection identifies a Linux host that has potentially been infected with malware and is being used to conduct brute-force attacks against external systems over SSH (port 22 and common alternative SSH ports). The detection looks for a high volume of outbound connection attempts to non-private IP addresses from a single process. A compromised host may be part of a botnet or controlled by an attacker, attempting to gain unauthorized access to remote systems. This behavior is commonly observed in SSH brute-force campaigns where malware hijacks vulnerable machines to expand its attack surface. ES |
QL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert. |
update |
3 |
This rule leverages the new_terms rule type to detect successful SSH authentications via a public key that has not been seen in the last 10 days. Public key authentication is a secure method for authenticating users to a server. Monitoring unusual public key authentication events can help detect unauthorized access attempts or suspicious activity on the system. |
update |
3 |
|
This rule leverages the new_terms rule type to detect successful SSH authentications by an IP- address that has not been authenticated in the last 10 days. This behavior may indicate an attacker attempting to gain access to the system using a valid account. |
update |
3 |
|
This rule leverages the new_terms rule type to detect successful SSH authentications by a user who has not been authenticated in the last 10 days. This behavior may indicate an attacker attempting to gain access to the system using a valid account. |
update |
3 |
|
This rule detects the creation of a file in a world-writeable directory through a service that is commonly used for file transfer. This behavior is often associated with lateral movement and can be an indicator of an attacker attempting to move laterally within a network. |
update |
3 |
|
This rule leverages the new_terms rule type to detect file creation via a commonly used file transfer service while excluding typical remote file creation activity. This behavior is often linked to lateral movement, potentially indicating an attacker attempting to move within a network. |
update |
3 |
|
This rule detects the creation of .pth files in system-wide and user-specific Python package directories, which can be abused for persistent code execution. .pth files automatically execute Python code when the interpreter starts, making them a stealthy persistence mechanism. Monitoring these paths helps identify unauthorized modifications that could indicate persistence by an attacker or malicious package injection. |
update |
3 |
|
This rule detects the creation and modification of sitecustomize.py and usercustomize.py, which Python automatically executes on startup. Attackers can exploit these files for persistence by injecting malicious code. The rule monitors system-wide, user-specific, and virtual environment locations to catch unauthorized changes that could indicate persistence or backdooring attempts. |
update |
3 |
|
This rule detects Linux user account credential modification events where the echo command is used to directly echo a password into the passwd utility. This technique is used by malware to automate the process of user account credential modification on Linux systems post-infection. |
update |
3 |
|
This rule detects unusual processes spawned from a web server parent process by identifying low frequency counts of process spawning activity. Unusual process spawning activity may indicate an attacker attempting to establish persistence, execute malicious commands, or establish command and control channels on the host system. ES |
QL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert. |
update |
|
3 |
This rule detects potential command execution from a web server parent process on a Linux host. Adversaries may attempt to execute commands from a web server parent process to blend in with normal web server activity and evade detection. This behavior is commonly observed in web shell attacks where adversaries exploit web server vulnerabilities to execute arbitrary commands on the host. The detection rule identifies unusual command execution from web server parent processes, which may indicate a compromised host or an ongoing attack. ES |
QL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert. |
|
update |
3 |
This rule identifies unusual destination port network activity originating from a web server process. The rule is designed to detect potential web shell activity or unauthorized communication from a web server process to external systems. |
|
update |
3 |
Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |
|
update |
105 |
Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |
|
update |
105 |
Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |
|
update |
106 |
Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |
|
update |
105 |
Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |
|
update |
105 |
Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |
|
update |
105 |
Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |
|
update |
105 |
Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |
|
update |
105 |
Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |
|
update |
105 |
Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. |
|
update |
105 |
Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |
|
update |
105 |
Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |
|
update |
105 |
Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |
|
update |
105 |
Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |
|
update |
105 |
Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |
|
update |
105 |
Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |
|
update |
105 |
This rule is triggered when CVEs collected from the Rapid7 Threat Command Integration have a match against vulnerabilities that were found in the customer environment. |
|
update |
106 |
Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. |
|
update |
318 |
Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file. |
|
update |
318 |
Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes. |
|
update |
214 |
Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior. |
|
update |
316 |
Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions. |
|
update |
319 |
PowerShell Suspicious Discovery Related Windows API Functions |
This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. |
update |
318 |
Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe |
|
update |
422 |
Detects writing executable files that will be automatically launched by Adobe on launch. |
|
update |
417 |
AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine. |
|
update |
314 |
Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage. |
|
update |
213 |
Web Shell Detection: Script Process Child of Common Web Processes |
Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. |
update |
419 |
Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE’s - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched. |