Skip to content

Commit e703ceb

Browse files
w0rk3rtradebot-elastic
w0rk3r
authored and
tradebot-elastic
committed
[Rule Tuning] Suspicious PrintSpooler Service Executable File Creation (#4976)
Co-authored-by: Mika Ayenson, PhD <[email protected]> (cherry picked from commit 5f7b821)
1 parent 1f138b9 commit e703ceb

File tree

1 file changed

+12
-11
lines changed

1 file changed

+12
-11
lines changed

rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
creation_date = "2020/08/14"
33
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
44
maturity = "production"
5-
updated_date = "2025/03/20"
5+
updated_date = "2025/08/13"
66

77
[rule]
88
author = ["Elastic"]
@@ -87,54 +87,55 @@ event.category : "file" and host.os.type : "windows" and event.type : "creation"
8787

8888

8989
[[rule.filters]]
90-
9190
[rule.filters.meta]
9291
negate = false
9392
[rule.filters.query.wildcard."file.path"]
9493
case_insensitive = true
9594
value = "?:\\\\Windows\\\\Sys?????\\\\*"
96-
[[rule.filters]]
9795

96+
[[rule.filters]]
9897
[rule.filters.meta]
9998
negate = true
10099
[rule.filters.query.wildcard."file.path"]
101100
case_insensitive = true
102101
value = "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll"
103-
[[rule.filters]]
104102

103+
[[rule.filters]]
105104
[rule.filters.meta]
106105
negate = true
107106
[rule.filters.query.wildcard."file.path"]
108107
case_insensitive = true
109-
value = "?:\\Windows\\Sys?????\\u005lrs.dll"
110-
[[rule.filters]]
108+
value = "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"
111109

110+
[[rule.filters]]
112111
[rule.filters.meta]
113112
negate = true
114113
[rule.filters.query.wildcard."file.path"]
115114
case_insensitive = true
116-
value = "?:\\Windows\\system32\\spool\\DRIVERS\\u0064\\\\*.dll"
117-
[[rule.filters]]
115+
value = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll"
118116

117+
[[rule.filters]]
119118
[rule.filters.meta]
120119
negate = true
121120
[rule.filters.query.wildcard."file.path"]
122121
case_insensitive = true
123122
value = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll"
124-
[[rule.filters]]
125123

124+
[[rule.filters]]
126125
[rule.filters.meta]
127126
negate = true
128127
[rule.filters.query.wildcard."file.path"]
129128
case_insensitive = true
130-
value = "?:\\Windows\\system32\\spool\\PRTPROCS\\u0064\\\\*.dll"
131-
[[rule.filters]]
129+
value = "?:\\\\Windows\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll"
132130

131+
[[rule.filters]]
133132
[rule.filters.meta]
134133
negate = true
135134
[rule.filters.query.wildcard."file.path"]
136135
case_insensitive = true
137136
value = "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll"
137+
138+
138139
[[rule.threat]]
139140
framework = "MITRE ATT&CK"
140141
[[rule.threat.technique]]

0 commit comments

Comments
 (0)