Rule Documentation: Potential Privilege Escalation via CVE-2022-38028 (Windows)
Printspooler Elevation
Query
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath startswith "C:\\Windows\\System32\\DriverStore\\FileRepository\\" or FolderPath startswith "C:\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf"
| where FileName endswith ".js" or FileName == "MPDW-constraints.js"
| where InitiatingProcessFileName != "drvinst.exe"About this query
Rule Documentation: Potential Privilege Escalation via CVE-2022-38028 (Windows)
Description
This detection rule identifies potential privilege escalation attempts on Windows systems via CVE-2022-38028. This vulnerability allows attackers to escalate privileges by exploiting specific processes and file paths. Monitoring for these patterns can help detect malicious activities aiming to exploit this CVE.
- [Microsoft analyzing forest blizzards] (https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/)
- Elastic Security Guide on CVE-2022-38028
Detection Logic
- Monitors
DeviceFileEventsfor file creation events in specific directories associated with the CVE. - Filters for JavaScript files created in these directories, excluding those initiated by the legitimate
drvinst.exeprocess.
Tags
- Privilege Escalation
- CVE-2022-38028
Search Query
Explanation
This query detects potential privilege escalation attempts on Windows systems using CVE-2022-38028 by monitoring file creation events in specific directories for JavaScript files, excluding those created by the legitimate drvinst.exe process.
Details

Ali Hussein
Released: May 20, 2024
Tables
DeviceFileEvents
Keywords
DeviceFileEventsActionTypeFileCreatedFolderPathstartswithFileNameendswithInitiatingProcessFileNameCVE-2022-38028
Operators
wherestartswithorendswith==!=