Elastic Security Detection Rules

Potential privilege escalation via CVE-2022-38028

Last updated 22 days ago on 2025-09-11
Created a year ago on 2024-04-23

About

Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Privilege EscalationTactic: Defense EvasionData Source: Elastic EndgameData Source: Elastic DefendData Source: SysmonData Source: Microsoft Defender for EndpointData Source: SentinelOneData Source: CrowdstrikeLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

Exploitation for Privilege Escalation (T1068)(opens in a new tab or window)

Defense Evasion (TA0005)(opens in a new tab or window)

Masquerading (T1036)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.file-*logs-windows.sysmon_operational-*endgame-*winlogbeat-*logs-m365_defender.event-*logs-sentinel_one_cloud_funnel.*logs-crowdstrike.fdr*
Related Integrations

endpoint(opens in a new tab or window)

windows(opens in a new tab or window)

m365_defender(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

crowdstrike(opens in a new tab or window)

Query
file where host.os.type == "windows" and event.type != "deletion" and
    file.name : "MPDW-constraints.js" and
    file.path : (
        "?:\\*\\Windows\\system32\\DriverStore\\FileRepository\\*\\MPDW-constraints.js",
        "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js", 
        "\\Device\\HarddiskVolume*\\*\\Windows\\system32\\DriverStore\\FileRepository\\*\\MPDW-constraints.js",
        "\\Device\\HarddiskVolume*\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js"
    ) and
    not process.executable : (
          "?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe",
          "?:\\Windows\\System32\\taskhostw.exe"
    ) and
    not file.path : (
        "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\*\\MPDW-constraints.js",
        "\\Device\\HarddiskVolume*\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\*\\MPDW-constraints.js"
    )

Install detection rules in Elastic Security

Detect Potential privilege escalation via CVE-2022-38028 in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).