[metadata] creation_date = "2021/07/06" deprecation_date = "2022/03/16" maturity = "deprecated" updated_date = "2022/03/16" [rule] author = ["Elastic"] description = """ Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated. """ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential PrintNightmare Exploit Registry Modification" references = [ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/afwu/PrintNightmare", ] risk_score = 73 rule_id = "6506c9fd-229e-4722-8f0f-69be759afd2a" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] timestamp_override = "event.ingested" type = "eql" query = ''' /* This rule is not compatible with Sysmon due to schema issues */ registry where process.name : "spoolsv.exe" and (registry.path : "HKLM\\SYSTEM\\ControlSet*\\Control\\Print\\Environments\\Windows*\\Drivers\\Version-3\\mimikatz*\\Data File" or (registry.path : "HKLM\\SYSTEM\\ControlSet*\\Control\\Print\\Environments\\Windows*\\Drivers\\Version-3\\*\\Configuration File" and registry.data.strings : ("kernelbase.dll", "ntdll.dll", "kernel32.dll", "winhttp.dll", "user32.dll"))) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] name = "Exploitation for Privilege Escalation" id = "T1068" reference = "https://attack.mitre.org/techniques/T1068/" [rule.threat.tactic] name = "Privilege Escalation" id = "TA0004" reference = "https://attack.mitre.org/tactics/TA0004/"