Suspicious Print Spooler Point and Print DLL

  1[metadata]
  2creation_date = "2020/11/26"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service.
 11Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as
 12SYSTEM.
 13"""
 14from = "now-9m"
 15index = [
 16    "logs-endpoint.events.registry-*",
 17    "endgame-*",
 18    "logs-windows.sysmon_operational-*",
 19    "winlogbeat-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-m365_defender.event-*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Suspicious Print Spooler Point and Print DLL"
 26references = [
 27    "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability",
 28    "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx",
 29    "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030",
 30]
 31risk_score = 73
 32rule_id = "bd7eefee-f671-494e-98df-f01daf9e5f17"
 33severity = "high"
 34tags = [
 35    "Domain: Endpoint",
 36    "OS: Windows",
 37    "Use Case: Threat Detection",
 38    "Tactic: Privilege Escalation",
 39    "Data Source: Elastic Endgame",
 40    "Use Case: Vulnerability",
 41    "Data Source: Elastic Defend",
 42    "Data Source: Sysmon",
 43    "Resources: Investigation Guide",
 44    "Data Source: SentinelOne",
 45    "Data Source: Microsoft Defender XDR",
 46]
 47type = "eql"
 48
 49query = '''
 50sequence by host.id with maxspan=30s
 51[registry where host.os.type == "windows" and
 52   registry.value : "SpoolDirectory" and
 53   registry.path : "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory" and
 54   registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4"]
 55[registry where host.os.type == "windows" and
 56   registry.value : "Module" and
 57   registry.path : "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module" and
 58   registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4\\*"]
 59'''
 60
 61note = """## Triage and analysis
 62
 63### Investigating Suspicious Print Spooler Point and Print DLL
 64
 65#### Possible investigation steps
 66
 67- Do the source registry events describe one printer object?
 68  - Why: sequence alerts joined only on `host.id` can omit stage-specific registry and writer fields; recover member events before interpreting the grouped alert.
 69  - Focus: compare the printer segment in `registry.path`, `registry.value`, and `registry.data.strings`; keep `user.id` and any `process.entity_id` pivots.
 70  - Implication: escalate when one printer key sets SpoolDirectory to "C:\\Windows\\System32\\spool\\drivers\\x64\\4" then CopyFiles\\Payload\\Module under that path; lower concern only when recovery breaks the same-printer chain or value match.
 71
 72- Which process and user wrote the values, and does context fit printer administration?
 73  - Focus: source-event writer context: `user.id`, `process.executable`, `process.command_line`, `process.parent.executable`, and recovered `process.entity_id`.
 74  - Implication: escalate when reg.exe, rundll32.exe, a scripting host, a user-writable binary, or an unexpected interactive user wrote the values; lower concern when writer identity, parentage, and service context match the same confirmed driver deployment.
 75
 76- What DLL path did Module name, and was it staged?
 77  - Focus: recovered Module `registry.data.strings`; if file telemetry exists, exact-path `file.path`, `file.Ext.original.path`, `file.origin_url`, and `file.Ext.windows.zone_identifier`. Missing file telemetry leaves staging unresolved, not benign.
 78  - Implication: escalate when the path names a newly written, renamed, internet-marked, or script-staged DLL in the spool drivers tree; lower concern when the exact path is a stable signed printer-driver package tied to the recovered printer object and writer workflow.
 79
 80- Did Print Spooler or print isolation consume the module?
 81  - Why: CVE-2020-1030 abuse becomes higher impact when the CopyFiles\\Payload\\Module value is loaded or spooler restart behavior forces the changed configuration into effect.
 82  - Focus: in library or process telemetry, check spoolsv.exe or PrintIsolationHost.exe loading the recovered path with `dll.path`, `dll.hash.sha256`, `dll.code_signature.subject_name`, and `dll.code_signature.trusted`. $investigate_1
 83  - Hint: pivot on the recovered Module path because the sequence alert may not preserve that value; spooler termination or restart around the writes can be a force-load clue.
 84  - Implication: escalate immediately when spooler loads the recovered DLL, restarts unexpectedly, or shows abnormal child activity soon after the writes; absent load telemetry does not clear a matching registry chain.
 85
 86- If suspicious or unresolved, does the pattern appear beyond this alert?
 87  - Focus: related alerts for `host.id`, then exact matches for recovered `registry.data.strings`, printer `registry.path`, or `dll.hash.sha256` across other hosts when available. $investigate_0
 88  - Implication: broaden response when the same module path, DLL hash, printer-object pattern, or spooler-abuse alert appears on unrelated hosts; keep scope local when the pattern stays confined to the same confirmed driver workflow.
 89
 90- What disposition do registry chain, writer, payload, spooler, and scope evidence support?
 91  - Focus: decide from same-printer registry stages, writer identity, DLL staging/load, workflow fit, and scope: escalate suspicious or unresolved chains, close only when telemetry cleanly aligns with one signed driver or print-management workflow, and preserve artifacts when evidence is mixed or incomplete.
 92
 93### False positive analysis
 94
 95- Recognized signed printer-driver installation, print-management, imaging, or endpoint-build workflows can update SpoolDirectory and CopyFiles\\Payload\\Module or stage spool-directory drivers. Confirm recovered `registry.path`, exact `registry.data.strings`, stable signed DLL identity, writer `process.executable`, parent workflow, current-case `host.id`, and any spooler follow-on all point to the same driver or management workflow without ad hoc scripting, unsigned payloads, or suspicious child processes. Change or deployment records may corroborate; prior-alert recurrence can scope exceptions but must not substitute for current-case telemetry.
 96- Build exceptions only from the minimum confirmed workflow pattern: `host.id`, recovered printer object from `registry.path`, exact recovered Module path, stable DLL identity, and the confirmed writer or deployment process. Avoid exceptions on the spool drivers directory alone, the printer name alone, or spoolsv.exe activity alone.
 97
 98### Response and remediation
 99
100- If confirmed benign, record `host.id`, the recovered printer object, exact Module path, stable DLL identity, and deployment workflow that justified closure before reversing temporary containment. Create an exception only from that exact confirmed workflow pattern; use prior alerts to narrow scope, not to prove benignity.
101- If suspicious but unconfirmed, preserve the Timeline member events, exact `registry.path` and `registry.data.strings`, exported affected registry keys, recovered DLL file if present, file or library hashes, writer `process.executable`, user context, and any spoolsv.exe or PrintIsolationHost.exe follow-on evidence before containment. Apply reversible containment first, such as restricting remote printer administration, disabling Point and Print exposure, or pausing nonessential printing on the affected host.
102- If confirmed malicious, preserve the DLL if feasible, export the affected printer keys, and retain related spoolsv.exe or PrintIsolationHost.exe process and library telemetry before containment. Then use endpoint response to isolate the host when registry-chain, payload, or spooler-side evidence shows malicious activity and host criticality allows it. Review other hosts for the same recovered DLL path, DLL hash, or printer-object pattern before stopping spoolsv.exe, deleting the DLL, restoring registry values, and removing the mechanism that staged the payload.
103- Post-incident hardening: apply the Microsoft fix for CVE-2020-1030, restrict Point and Print and printer-driver installation rights where feasible, disable the Print Spooler service on hosts that do not need it, retain registry, file, and library telemetry for spooler abuse, and document confirmed printer-object and DLL patterns for future triage.
104"""
105
106setup = """## Setup
107
108This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
109
110Setup instructions: https://ela.st/install-elastic-defend
111
112### Additional data sources
113
114This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
115
116- [Microsoft Defender XDR](https://ela.st/m365-defender)
117- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
118- [Sysmon Registry Events](https://ela.st/sysmon-event-reg-setup)
119"""
120
121[rule.investigation_fields]
122field_names = [
123    "@timestamp",
124    "host.id",
125    "host.name",
126    "user.id",
127    "user.name",
128    "user.domain"
129]
130
131[transform]
132
133[[transform.investigate]]
134label = "Alerts associated with the host"
135description = ""
136providers = [
137  [
138    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
139    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
140  ]
141]
142relativeFrom = "now-48h/h"
143relativeTo = "now"
144
145[[transform.investigate]]
146label = "Spooler or print isolation loads on the host"
147description = ""
148providers = [
149  [
150    { excluded = false, field = "event.category", queryType = "phrase", value = "library", valueType = "string" },
151    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
152    { excluded = false, field = "process.name", queryType = "phrase", value = "spoolsv.exe", valueType = "string" }
153  ],
154  [
155    { excluded = false, field = "event.category", queryType = "phrase", value = "library", valueType = "string" },
156    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
157    { excluded = false, field = "process.name", queryType = "phrase", value = "PrintIsolationHost.exe", valueType = "string" }
158  ]
159]
160relativeFrom = "now-1h"
161relativeTo = "now"
162
163[[rule.threat]]
164framework = "MITRE ATT&CK"
165
166[[rule.threat.technique]]
167id = "T1068"
168name = "Exploitation for Privilege Escalation"
169reference = "https://attack.mitre.org/techniques/T1068/"
170
171[[rule.threat.technique]]
172id = "T1574"
173name = "Hijack Execution Flow"
174reference = "https://attack.mitre.org/techniques/T1574/"
175
176[rule.threat.tactic]
177id = "TA0004"
178name = "Privilege Escalation"
179reference = "https://attack.mitre.org/tactics/TA0004/"
180
181[[rule.threat]]
182framework = "MITRE ATT&CK"
183
184[[rule.threat.technique]]
185id = "T1112"
186name = "Modify Registry"
187reference = "https://attack.mitre.org/techniques/T1112/"
188
189[rule.threat.tactic]
190id = "TA0005"
191name = "Defense Evasion"
192reference = "https://attack.mitre.org/tactics/TA0005/"