/
spoolsv_suspicious_process_access.yml
73 lines (73 loc) · 2.98 KB
/
spoolsv_suspicious_process_access.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Spoolsv Suspicious Process Access
id: 799b606e-da81-11eb-93f8-acde48001122
version: 1
date: '2021-07-01'
author: Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk
status: production
type: TTP
description: This analytic identifies a suspicious behavior related to PrintNightmare,
or CVE-2021-34527 previously (CVE-2021-1675), to gain privilege escalation on the
vulnerable machine. This exploit attacks a critical Windows Print Spooler Vulnerability
to elevate privilege. This detection is to look for suspicious process access made
by the spoolsv.exe that may related to the attack.
data_source:
- Sysmon Event ID 1
search: '`sysmon` EventCode=10 SourceImage = "*\\spoolsv.exe" CallTrace = "*\\Windows\\system32\\spool\\DRIVERS\\x64\\*"
TargetImage IN ("*\\rundll32.exe", "*\\spoolsv.exe") GrantedAccess = 0x1fffff |
stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage
TargetImage GrantedAccess CallTrace EventCode ProcessID| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `spoolsv_suspicious_process_access_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with process access event where SourceImage, TargetImage, GrantedAccess and
CallTrace executions from your endpoints. If you are using Sysmon, you must have
at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of spoolsv.exe.
known_false_positives: Unknown. Filter as needed.
references:
- https://github.com/cube0x0/impacket/commit/73b9466c17761384ece11e1028ec6689abad6818
- https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available
- https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675
- https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes
tags:
analytic_story:
- PrintNightmare CVE-2021-34527
asset_type: Endpoint
confidence: 90
cve:
- CVE-2021-34527
impact: 80
message: $SourceImage$ was GrantedAccess open access to $TargetImage$ on endpoint
$dest$. This behavior is suspicious and related to PrintNightmare.
mitre_attack_id:
- T1068
observable:
- name: dest
type: Endpoint
role:
- Victim
- name: ProcessID
type: Process
role:
- Parent Process
- name: TargetImage
type: Process Name
role:
- Target
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- SourceImage
- TargetImage
- GrantedAccess
- CallTrace
- EventCode
risk_score: 72
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog