Potential privilege escalation via CVE-2022-38028

Last updated 3 months ago on 2025-03-20

Created a year ago on 2024-04-23

About

Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Privilege EscalationTactic: Defense EvasionData Source: Elastic EndgameData Source: Elastic DefendData Source: SysmonData Source: Microsoft Defender for EndpointData Source: SentinelOneLanguage: eql

Severity

high

Risk Score

MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

↳ Exploitation for Privilege Escalation (T1068)(opens in a new tab or window)

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Masquerading (T1036)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-endpoint.events.file-*logs-windows.sysmon_operational-*endgame-*winlogbeat-*logs-m365_defender.event-*logs-sentinel_one_cloud_funnel.*

Related Integrations

endpoint(opens in a new tab or window)

windows(opens in a new tab or window)

m365_defender(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

Query

file where host.os.type == "windows" and event.type != "deletion" and
    file.name : "MPDW-constraints.js" and
    file.path : (
        "?:\\*\\Windows\\system32\\DriVerStoRe\\FiLeRePoSiToRy\\*\\MPDW-constraints.js",
        "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js"
    )

Install detection rules in Elastic Security

Detect Potential privilege escalation via CVE-2022-38028 in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).