1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", 6 "from": "now-9m", 7 "index": [ 8 "winlogbeat-*", 9 "logs-endpoint.events.*", 10 "logs-windows.*" 11 ], 12 "language": "eql", 13 "license": "Elastic License v2", 14 "name": "Suspicious Print Spooler Point and Print DLL", 15 "query": "sequence by host.id with maxspan=30s\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", 16 "references": [ 17 "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", 18 "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", 19 "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030" 20 ], 21 "risk_score": 73, 22 "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", 23 "severity": "high", 24 "tags": [ 25 "Elastic", 26 "Host", 27 "Windows", 28 "Threat Detection", 29 "Privilege Escalation" 30 ], 31 "threat": [ 32 { 33 "framework": "MITRE ATT&CK", 34 "tactic": { 35 "id": "TA0004", 36 "name": "Privilege Escalation", 37 "reference": "https://attack.mitre.org/tactics/TA0004/" 38 }, 39 "technique": [ 40 { 41 "id": "T1068", 42 "name": "Exploitation for Privilege Escalation", 43 "reference": "https://attack.mitre.org/techniques/T1068/" 44 } 45 ] 46 } 47 ], 48 "type": "eql", 49 "version": 2 50} 51