1{
2  "author": [
3    "Elastic"
4  ],
5  "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.",
6  "from": "now-9m",
7  "index": [
8    "winlogbeat-*",
9    "logs-endpoint.events.*",
10    "logs-windows.*"
11  ],
12  "language": "eql",
13  "license": "Elastic License v2",
14  "name": "Suspicious Print Spooler Point and Print DLL",
15  "query": "sequence by host.id with maxspan=30s\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\" and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n",
16  "references": [
17    "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability",
18    "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx",
19    "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030"
20  ],
21  "risk_score": 73,
22  "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17",
23  "severity": "high",
24  "tags": [
25    "Elastic",
26    "Host",
27    "Windows",
28    "Threat Detection",
29    "Privilege Escalation"
30  ],
31  "threat": [
32    {
33      "framework": "MITRE ATT&CK",
34      "tactic": {
35        "id": "TA0004",
36        "name": "Privilege Escalation",
37        "reference": "https://attack.mitre.org/tactics/TA0004/"
38      },
39      "technique": [
40        {
41          "id": "T1068",
42          "name": "Exploitation for Privilege Escalation",
43          "reference": "https://attack.mitre.org/techniques/T1068/"
44        }
45      ]
46    }
47  ],
48  "type": "eql",
49  "version": 2
50}
51