nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml

@@ -0,0 +1,90 @@
+[metadata]
+creation_date = "2025/05/23"
+integration = ["system", "windows"]
+maturity = "production"
+updated_date = "2025/11/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the creation of a delegated Managed Service Account by an unusual subject account. Attackers can abuse the dMSA
+account migration feature to elevate privileges abusing weak persmission allowing users child objects rights or
+msDS-DelegatedManagedServiceAccount rights.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "dMSA Account Creation by an Unusual User"
+note = """## Triage and analysis
+
+### Investigating dMSA Account Creation by an Unusual User
+
+### Possible investigation steps
+- Examine the winlog.event_data.SubjectUserName field and verify if he is allowed and used to create dMSA accounts.
+- Examine all Active Directory modifications performed by the winlog.event_data.SubjectUserName.
+- Investigate the history of the identified user account to determine if there are any other suspicious activities or patterns of behavior.
+- Collaborate with the IT or security team to determine if the changes were authorized or if further action is needed to secure the environment.
+
+### False positive analysis
+
+- Migration of legacy service accounts using delegated managed service account.
+
+### Response and remediation
+
+- Immediately disable the winlog.event_data.SubjectUserName account and revert all changes performed by that account.
+- Identify and isolate the source machines from where the SubjectUserName is authenticating.
+- Reset passwords for all accounts that were potentially affected or had their permissions altered, focusing on privileged accounts to prevent adversaries from regaining access.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach, including identifying any other compromised systems or accounts.
+- Review and update access control policies and security configurations to prevent similar attacks, ensuring that only authorized personnel have the ability to modify critical Active Directory objects or create OU child objects."""
+references = ["https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory"]
+risk_score = 73
+rule_id = "f0dbff4c-1aa7-4458-9ed5-ada472f64970"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Privilege Escalation",
+    "Use Case: Active Directory Monitoring",
+    "Data Source: Active Directory",
+    "Data Source: Windows Security Event Logs",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.code:5137 and host.os.type:"windows" and winlog.event_data.ObjectClass:"msDS-DelegatedManagedServiceAccount"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.002"
+name = "Domain Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/002/"
+
+
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["winlog.event_data.SubjectUserName"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-10d"

nldcsc_elastic_rules/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml

@@ -0,0 +1,95 @@
+[metadata]
+creation_date = "2024/05/29"
+integration = ["endpoint", "windows"]
+maturity = "production"
+updated_date = "2025/03/20"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll
+functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Unsigned DLL loaded by DNS Service"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Unsigned DLL loaded by DNS Service
+
+The DNS service in Windows environments is crucial for resolving domain names to IP addresses. It can be extended via DLLs, which, if unsigned, may indicate tampering. Adversaries exploit this by loading malicious DLLs to gain elevated privileges or execute code with SYSTEM rights. The detection rule identifies such threats by monitoring the DNS process for loading untrusted DLLs, flagging potential privilege escalation attempts.
+
+### Possible investigation steps
+
+- Review the alert details to identify the specific DLL file that was loaded by the DNS service and check its file path and name for any known malicious indicators.
+- Examine the file's code signature status and metadata to determine why it is not trusted or valid, and cross-reference with known trusted sources or databases.
+- Investigate the process tree of dns.exe to identify any parent or child processes that may indicate how the unsigned DLL was introduced or executed.
+- Check the system's event logs for any recent changes or anomalies around the time the DLL was loaded, focusing on events related to process creation, file modification, or user account activity.
+- Analyze network traffic logs for any unusual DNS queries or outbound connections that could suggest communication with a command and control server.
+- Assess the system for other signs of compromise, such as unauthorized user accounts, scheduled tasks, or registry changes that could indicate further exploitation or persistence mechanisms.
+- If possible, isolate the affected system to prevent further potential malicious activity and begin remediation steps based on the findings.
+
+### False positive analysis
+
+- Legitimate software updates or patches may introduce new DLLs that are unsigned. Verify the source of the update and, if trusted, create an exception for these DLLs to prevent future alerts.
+- Custom or in-house applications might use unsigned DLLs for specific functionalities. Confirm the legitimacy of these applications and add them to an allowlist to avoid unnecessary alerts.
+- Some third-party security or monitoring tools may load unsigned DLLs as part of their operation. Validate these tools with your security team and configure exceptions for known, safe DLLs.
+- Development or testing environments often use unsigned DLLs during the software development lifecycle. Ensure these environments are properly segmented and consider excluding them from this rule to reduce noise.
+- Legacy systems might rely on older, unsigned DLLs that are still in use. Conduct a risk assessment and, if deemed safe, exclude these DLLs from triggering alerts.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.
+- Terminate the DNS service process (dns.exe) to stop the execution of the malicious DLL and prevent further potential damage.
+- Conduct a thorough scan of the system using updated antivirus and anti-malware tools to identify and remove any additional malicious files or software.
+- Restore the DNS service to its original state by replacing the compromised DLL with a legitimate, signed version from a trusted source or backup.
+- Review and update the system's security patches and configurations to address any vulnerabilities that may have been exploited, particularly those related to privilege escalation.
+- Monitor the system and network for any signs of continued or repeated unauthorized activity, focusing on similar indicators of compromise.
+- Report the incident to the appropriate internal security team or external authorities if required, providing details of the threat and actions taken for further investigation and response."""
+references = [
+    "https://cube0x0.github.io/Pocing-Beyond-DA/",
+    "https://adsecurity.org/?p=4064",
+    "https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll",
+]
+risk_score = 47
+rule_id = "5d676480-9655-4507-adc6-4eec311efff8"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Privilege Escalation",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+any where host.os.type == "windows" and event.category : ("library", "process") and
+  event.type : ("start", "change") and event.action : ("load", "Image loaded*") and
+  process.executable : "?:\\windows\\system32\\dns.exe" and
+  not ?dll.code_signature.trusted == true and
+  not file.code_signature.status == "Valid"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1068"
+name = "Exploitation for Privilege Escalation"
+reference = "https://attack.mitre.org/techniques/T1068/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+

nldcsc_elastic_rules/rules/windows/privilege_escalation_driver_newterm_imphash.toml

@@ -0,0 +1,156 @@
+[metadata]
+creation_date = "2022/12/19"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/02/03"
+
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link"
+query = """
+SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,
+issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =
+authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1")
+"""
+
+[[transform.osquery]]
+label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link"
+query = """
+SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,
+issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =
+authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0"
+"""
+
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the load of a driver with an original file name and signature values that were observed for the first time
+during the last 30 days. This rule type can help baseline drivers installation within your environment.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.library-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "First Time Seen Driver Loaded"
+note = """## Triage and analysis
+
+### Investigating First Time Seen Driver Loaded
+
+A driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.
+
+Attackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.
+
+Read the complete research on "Stopping Vulnerable Driver Attacks" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).
+
+This rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.
+
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
+#### Possible investigation steps
+
+- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:
+  - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.
+  - Examine the digital signature of the driver, and check if it's valid.
+  - Examine the creation and modification timestamps of the file:
+    - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `"dll.Ext.relative_file_name_modify_time"` fields, with the values being seconds.
+    - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.
+      - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.
+  - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
+- Use Osquery to investigate the drivers loaded into the system.
+  - $osquery_0
+  - $osquery_1
+- Identify the driver's `Device Name` and `Service Name`.
+- Check for alerts from the rules specified in the `Related Rules` section.
+
+### False positive analysis
+
+- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.
+
+### Related Rules
+
+- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa
+- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd
+- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)
+- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.
+  - This can be done via PowerShell `Remove-Service` cmdlet.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Ensure that the Driver Signature Enforcement is enabled on the system.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+references = ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks"]
+risk_score = 47
+rule_id = "df0fd41e-5590-4965-ad5e-cd079ec22fa9"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Privilege Escalation",
+    "Tactic: Persistence",
+    "Resources: Investigation Guide",
+    "Data Source: Elastic Defend",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.category:"driver" and host.os.type:windows and event.action:"load"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1068"
+name = "Exploitation for Privilege Escalation"
+reference = "https://attack.mitre.org/techniques/T1068/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1543"
+name = "Create or Modify System Process"
+reference = "https://attack.mitre.org/techniques/T1543/"
+[[rule.threat.technique.subtechnique]]
+id = "T1543.003"
+name = "Windows Service"
+reference = "https://attack.mitre.org/techniques/T1543/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["dll.pe.original_file_name", "dll.code_signature.subject_name"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-30d"
+
+

nldcsc_elastic_rules/rules/windows/privilege_escalation_expired_driver_loaded.toml

@@ -0,0 +1,105 @@
+[metadata]
+creation_date = "2023/06/26"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities
+to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.library-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Expired or Revoked Driver Loaded"
+references = [
+    "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN",
+]
+risk_score = 47
+rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Privilege Escalation",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+driver where host.os.type == "windows" and process.pid == 4 and
+  dll.code_signature.status : ("errorExpired", "errorRevoked")
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Expired or Revoked Driver Loaded
+In Windows environments, drivers facilitate communication between the OS and hardware. Adversaries exploit vulnerabilities in outdated drivers or misuse revoked certificates to execute malicious code in kernel mode, bypassing security controls. The detection rule identifies such threats by monitoring for drivers with expired or revoked signatures, focusing on processes critical to system integrity, thus flagging potential privilege escalation or defense evasion attempts.
+
+### Possible investigation steps
+
+- Review the alert details to confirm the presence of a driver with an expired or revoked signature, focusing on the process with PID 4, which is typically the System process in Windows.
+- Investigate the specific driver file that triggered the alert by checking its file path, hash, and any associated metadata to determine its origin and legitimacy.
+- Cross-reference the driver file against known vulnerability databases and security advisories to identify any known exploits associated with it.
+- Examine recent system logs and security events for any unusual activities or attempts to load other drivers around the same time as the alert.
+- Assess the system for any signs of privilege escalation or defense evasion, such as unauthorized access attempts or changes to security settings.
+- If the driver is confirmed to be malicious or suspicious, isolate the affected system to prevent further compromise and initiate a detailed forensic analysis.
+
+### False positive analysis
+
+- Legitimate software updates may load drivers with expired or revoked signatures temporarily. Verify the source and purpose of the driver before excluding it.
+- Some older hardware devices may rely on drivers that have expired signatures but are still necessary for functionality. Confirm the device's necessity and consider excluding these drivers if they are from a trusted source.
+- Security software or system management tools might use drivers with expired signatures for legitimate operations. Validate the software's legitimacy and add exceptions for these drivers if they are verified as safe.
+- Custom or in-house developed drivers might not have updated signatures. Ensure these drivers are from a trusted internal source and consider excluding them if they are essential for operations.
+- Test environments may intentionally use expired or revoked drivers for research or development purposes. Clearly document these cases and exclude them to prevent unnecessary alerts.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.
+- Terminate any processes associated with the expired or revoked driver to halt any ongoing malicious activity.
+- Conduct a thorough review of the system to identify any unauthorized changes or additional malicious drivers that may have been loaded.
+- Revoke any compromised certificates and update the certificate trust list to prevent future misuse.
+- Apply the latest security patches and driver updates to close any vulnerabilities that may have been exploited.
+- Restore the system from a known good backup if any unauthorized changes or persistent threats are detected.
+- Escalate the incident to the security operations center (SOC) for further analysis and to determine if additional systems are affected."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1068"
+name = "Exploitation for Privilege Escalation"
+reference = "https://attack.mitre.org/techniques/T1068/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+[[rule.threat.technique.subtechnique]]
+id = "T1036.001"
+name = "Invalid Code Signature"
+reference = "https://attack.mitre.org/techniques/T1036/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

nldcsc_elastic_rules/rules/windows/privilege_escalation_exploit_cve_202238028.toml

@@ -0,0 +1,127 @@
+[metadata]
+creation_date = "2024/04/23"
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
+maturity = "production"
+updated_date = "2025/09/11"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.
+"""
+from = "now-9m"
+index = [
+    "logs-endpoint.events.file-*",
+    "logs-windows.sysmon_operational-*",
+    "endgame-*",
+    "winlogbeat-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential privilege escalation via CVE-2022-38028"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Potential privilege escalation via CVE-2022-38028
+
+CVE-2022-38028 targets the Windows Print Spooler service, a core component managing print jobs. Adversaries exploit this by manipulating specific JavaScript files within system directories to gain elevated privileges. The detection rule identifies unauthorized file presence in critical paths, signaling potential exploitation attempts, leveraging multiple data sources for comprehensive threat detection.
+
+### Possible investigation steps
+
+- Review the alert details to confirm the presence of the file "MPDW-constraints.js" in the specified critical paths: "?:\\\\*\\\\Windows\\\\system32\\\\DriVerStoRe\\\\FiLeRePoSiToRy\\\\*\\\\MPDW-constraints.js" or "?:\\\\*\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\MPDW-constraints.js".
+- Check the file creation and modification timestamps to determine when the file was placed or altered in the system directories.
+- Investigate the source of the file by examining recent user activity and process execution logs around the time the file appeared, focusing on any suspicious or unauthorized actions.
+- Correlate the event with other data sources such as Sysmon, Microsoft Defender for Endpoint, or SentinelOne to identify any related suspicious activities or processes that might indicate exploitation attempts.
+- Assess the risk and impact by determining if the affected system has any sensitive roles or access that could be leveraged by an attacker through privilege escalation.
+- If malicious activity is confirmed, initiate containment measures such as isolating the affected system and conducting a full malware scan to prevent further exploitation.
+
+### False positive analysis
+
+- Legitimate software updates or installations may place JavaScript files in the monitored directories. Verify the source and integrity of the software to ensure it is from a trusted vendor.
+- System administrators or automated scripts might deploy or modify JavaScript files in these paths for legitimate configuration purposes. Review change management logs to confirm authorized activities.
+- Security tools or system maintenance processes could temporarily create or modify files in these directories. Cross-reference with scheduled tasks or security tool logs to validate these actions.
+- Exclude known benign applications or processes that frequently interact with the specified file paths by creating exceptions in the detection rule to reduce noise.
+- Regularly update the detection rule to incorporate new intelligence on false positives, ensuring it remains effective and relevant.
+
+### Response and remediation
+
+- Isolate the affected system from the network immediately to prevent further exploitation or lateral movement by the adversary.
+- Terminate any suspicious processes related to the Windows Print Spooler service to halt ongoing exploitation attempts.
+- Remove unauthorized JavaScript files, specifically "MPDW-constraints.js", from the identified critical paths to eliminate the immediate threat.
+- Apply the latest security patches and updates from Microsoft to address CVE-2022-38028 and ensure the system is protected against known vulnerabilities.
+- Conduct a thorough review of user accounts and privileges on the affected system to identify and revoke any unauthorized privilege escalations.
+- Monitor the network and system logs for any signs of further exploitation attempts or related suspicious activities, using enhanced detection rules.
+- Report the incident to the appropriate internal security team or external authorities if required, providing detailed information about the exploitation attempt and actions taken."""
+references = [
+    "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/",
+]
+risk_score = 73
+rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Privilege Escalation",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+file where host.os.type == "windows" and event.type != "deletion" and
+    file.name : "MPDW-constraints.js" and
+    file.path : (
+        "?:\\*\\Windows\\system32\\DriverStore\\FileRepository\\*\\MPDW-constraints.js",
+        "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js", 
+        "\\Device\\HarddiskVolume*\\*\\Windows\\system32\\DriverStore\\FileRepository\\*\\MPDW-constraints.js",
+        "\\Device\\HarddiskVolume*\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js"
+    ) and
+    not process.executable : (
+          "?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe",
+          "?:\\Windows\\System32\\taskhostw.exe"
+    ) and
+    not file.path : (
+        "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\*\\MPDW-constraints.js",
+        "\\Device\\HarddiskVolume*\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\*\\MPDW-constraints.js"
+    )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1068"
+name = "Exploitation for Privilege Escalation"
+reference = "https://attack.mitre.org/techniques/T1068/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+