SigmaHQ/rules/windows/process_creation/win_exploit_cve_2020_1048.yml

title: Suspicious PrinterPorts Creation (CVE-2020-1048)
id: cc08d590-8b90-413a-aff6-31d1a99678d7
status: experimental
description: Detects new commands that add new printer port which point to suspicious file
author: EagleEye Team, Florian Roth
date: 2020/05/13
modified: 2020/05/23
references:
    - https://windows-internals.com/printdemon-cve-2020-1048/
tags:
    - attack.persistence
    - attack.execution
    - attack.t1059.001
    - attack.t1086  #an old one
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains: 
            - 'Add-PrinterPort -Name'
    selection2:
        CommandLine|contains: 
            - '.exe'
            - '.dll'
            - '.bat'
    selection3:
        CommandLine|contains:
            - 'Generic / Text Only'
    condition: ( selection1 and selection2 ) or selection3
falsepositives:
    - New printer port install on host
level: high
refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 07:09:58 +00:00			`title: Suspicious PrinterPorts Creation (CVE-2020-1048)`
			`id: cc08d590-8b90-413a-aff6-31d1a99678d7`
			`status: experimental`
			`description: Detects new commands that add new printer port which point to suspicious file`
			`author: EagleEye Team, Florian Roth`
			`date: 2020/05/13`
			`modified: 2020/05/23`
			`references:`
			`- https://windows-internals.com/printdemon-cve-2020-1048/`
			`tags:`
			`- attack.persistence`
			`- attack.execution`
att&ck tags review: windows/process_creation part 2 2020-08-29 04:39:30 +00:00			`- attack.t1059.001`
			`- attack.t1086 #an old one`
refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 07:09:58 +00:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection1:`
refactor: simplified and extended expression in CVE-2020-1048 rule 2020-05-23 07:16:19 +00:00			`CommandLine\|contains:`
refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 07:09:58 +00:00			`- 'Add-PrinterPort -Name'`
			`selection2:`
refactor: simplified and extended expression in CVE-2020-1048 rule 2020-05-23 07:16:19 +00:00			`CommandLine\|contains:`
refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 07:09:58 +00:00			`- '.exe'`
refactor: simplified and extended expression in CVE-2020-1048 rule 2020-05-23 07:16:19 +00:00			`- '.dll'`
			`- '.bat'`
refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 07:09:58 +00:00			`selection3:`
			`CommandLine\|contains:`
			`- 'Generic / Text Only'`
refactor: simplified and extended expression in CVE-2020-1048 rule 2020-05-23 07:16:19 +00:00			`condition: ( selection1 and selection2 ) or selection3`
refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 07:09:58 +00:00			`falsepositives:`
			`- New printer port install on host`
			`level: high`