SigmaHQ/rules/windows/registry_event/sysmon_cve-2020-1048.yml

title: Suspicious New Printer Ports in Registry (CVE-2020-1048)
id: 7ec912f2-5175-4868-b811-ec13ad0f8567
status: experimental
description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048
author: EagleEye Team, Florian Roth, NVISO
date: 2020/05/13
modified: 2020/05/26
references:
    - https://windows-internals.com/printdemon-cve-2020-1048/
tags:
    - attack.persistence
    - attack.execution
logsource:
    product: windows
    category: registry_event
detection:        
    selection:
        TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports'
        EventType:
            - SetValue
            - DeleteValue
            - CreateValue
        Details|contains:
            - '.dll'
            - '.exe'
            - '.bat'
            - '.com'
            - 'C:'
    condition: selection
falsepositives:
    - New printer port install on host
level: high
refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 07:09:58 +00:00			`title: Suspicious New Printer Ports in Registry (CVE-2020-1048)`
rule: CVE-2020-1048 2020-05-15 10:08:31 +00:00			`id: 7ec912f2-5175-4868-b811-ec13ad0f8567`
			`status: experimental`
refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 07:09:58 +00:00			`description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048`
Update to sysmon_cve-2020-1048 Added .com executables to detection Second TargetObject should have been Details 2020-05-26 09:20:21 +00:00			`author: EagleEye Team, Florian Roth, NVISO`
rule: CVE-2020-1048 2020-05-15 10:08:31 +00:00			`date: 2020/05/13`
Update to sysmon_cve-2020-1048 Added .com executables to detection Second TargetObject should have been Details 2020-05-26 09:20:21 +00:00			`modified: 2020/05/26`
rule: CVE-2020-1048 2020-05-15 10:08:31 +00:00			`references:`
			`- https://windows-internals.com/printdemon-cve-2020-1048/`
			`tags:`
			`- attack.persistence`
			`- attack.execution`
			`logsource:`
			`product: windows`
refactor: sysmon rule cleanup > generlization 2020-07-01 08:58:39 +00:00			`category: registry_event`
rule: CVE-2020-1048 2020-05-15 10:08:31 +00:00			`detection:`
refactor: sysmon rule cleanup > generlization 2020-07-01 08:58:39 +00:00			`selection:`
rule: CVE-2020-1048 2020-05-15 10:08:31 +00:00			`TargetObject\|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports'`
fix CVE 2020-1048 rule 2020-05-15 11:25:05 +00:00			`EventType:`
			`- SetValue`
			`- DeleteValue`
			`- CreateValue`
Update to sysmon_cve-2020-1048 Added .com executables to detection Second TargetObject should have been Details 2020-05-26 09:20:21 +00:00			`Details\|contains:`
rule: CVE-2020-1048 2020-05-15 10:08:31 +00:00			`- '.dll'`
			`- '.exe'`
refactor: simplified and extended expression in CVE-2020-1048 rule 2020-05-23 07:16:19 +00:00			`- '.bat'`
Update to sysmon_cve-2020-1048 Added .com executables to detection Second TargetObject should have been Details 2020-05-26 09:20:21 +00:00			`- '.com'`
rule: CVE-2020-1048 2020-05-15 10:08:31 +00:00			`- 'C:'`
fix: missing condition in CVE-2020-1048 rule 2020-05-16 06:59:05 +00:00			`condition: selection`
refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 07:09:58 +00:00			`falsepositives:`
			`- New printer port install on host`
			`level: high`