SigmaHQ/rules/windows/registry_event/sysmon_cve-2020-1048.yml
2020-09-06 22:10:44 +03:00

34 lines
1009 B
YAML

title: Suspicious New Printer Ports in Registry (CVE-2020-1048)
id: 7ec912f2-5175-4868-b811-ec13ad0f8567
status: experimental
description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048
author: EagleEye Team, Florian Roth, NVISO
date: 2020/05/13
modified: 2020/09/06
references:
- https://windows-internals.com/printdemon-cve-2020-1048/
tags:
- attack.persistence
- attack.execution
- attack.defense_evasion
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports'
EventType:
- SetValue
- DeleteValue
- CreateValue
Details|contains:
- '.dll'
- '.exe'
- '.bat'
- '.com'
- 'C:'
condition: selection
falsepositives:
- New printer port install on host
level: high