Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threathightest

Suspicious PrinterPorts Creation (CVE-2020-1048)

Detects new commands that add new printer port which point to suspicious file

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
EagleEye Team, Florian Roth (Nextron Systems)Created Wed May 13Updated Sat Nov 27cc08d590-8b90-413a-aff6-31d1a99678d72020
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection1:
        CommandLine|contains: 'Add-PrinterPort -Name'
    selection2:
        CommandLine|contains:
            - '.exe'
            - '.dll'
            - '.bat'
    selection3:
        CommandLine|contains: 'Generic / Text Only'
    condition: (selection1 and selection2) or selection3
False Positives

New printer port install on host

References
1
Resolving title…
windows-internals.com
MITRE ATT&CK

Other

cve.2020-1048detection.emerging-threats
Rule Metadata
Rule ID
cc08d590-8b90-413a-aff6-31d1a99678d7
Status
test
Level
high
Type
Emerging Threat
Created
Wed May 13
Modified
Sat Nov 27
Author
EagleEye Team, Florian Roth (Nextron Systems)
Path
rules-emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml
Raw Tags
attack.persistenceattack.executionattack.t1059.001cve.2020-1048detection.emerging-threats
View on GitHub