Query Details

Rule Documentation: Potential Privilege Escalation via CVE-2022-38028 (Windows)

Printspooler Elevation

Query

DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath startswith "C:\\Windows\\System32\\DriverStore\\FileRepository\\" or FolderPath startswith "C:\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf"
| where FileName endswith ".js" or FileName == "MPDW-constraints.js"
| where InitiatingProcessFileName != "drvinst.exe"

About this query

Rule Documentation: Potential Privilege Escalation via CVE-2022-38028 (Windows)

Description

This detection rule identifies potential privilege escalation attempts on Windows systems via CVE-2022-38028. This vulnerability allows attackers to escalate privileges by exploiting specific processes and file paths. Monitoring for these patterns can help detect malicious activities aiming to exploit this CVE.

Detection Logic

  • Monitors DeviceFileEvents for file creation events in specific directories associated with the CVE.
  • Filters for JavaScript files created in these directories, excluding those initiated by the legitimate drvinst.exe process.

Tags

  • Privilege Escalation
  • CVE-2022-38028

Search Query

Explanation

This query detects potential privilege escalation attempts on Windows systems using CVE-2022-38028 by monitoring file creation events in specific directories for JavaScript files, excluding those created by the legitimate drvinst.exe process.

Details

Ali Hussein profile picture

Ali Hussein

Released: May 20, 2024

Tables

DeviceFileEvents

Keywords

DeviceFileEventsActionTypeFileCreatedFolderPathstartswithFileNameendswithInitiatingProcessFileNameCVE-2022-38028

Operators

wherestartswithorendswith==!=

Actions

GitHub