Suspicious PrintSpooler Service Executable File Creation

Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/08/14"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
 13information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted
 14system is patched.
 15"""
 16from = "now-9m"
 17index = [
 18    "winlogbeat-*",
 19    "logs-endpoint.events.file-*",
 20    "logs-windows.sysmon_operational-*",
 21    "endgame-*",
 22    "logs-m365_defender.event-*",
 23    "logs-sentinel_one_cloud_funnel.*",
 24]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "Suspicious PrintSpooler Service Executable File Creation"
 28references = [
 29    "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
 30    "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files",
 31]
 32risk_score = 21
 33rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8"
 34severity = "low"
 35tags = [
 36    "Domain: Endpoint",
 37    "OS: Windows",
 38    "Use Case: Threat Detection",
 39    "Tactic: Privilege Escalation",
 40    "Data Source: Elastic Endgame",
 41    "Use Case: Vulnerability",
 42    "Data Source: Elastic Defend",
 43    "Data Source: Sysmon",
 44    "Data Source: Microsoft Defender for Endpoint",
 45    "Data Source: SentinelOne",
 46    "Resources: Investigation Guide",
 47]
 48timestamp_override = "event.ingested"
 49type = "new_terms"
 50
 51query = '''
 52event.category : "file" and host.os.type : "windows" and event.type : "creation" and
 53  process.name : "spoolsv.exe" and file.extension : "dll"
 54'''
 55note = """## Triage and analysis
 56
 57> **Disclaimer**:
 58> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 59
 60### Investigating Suspicious PrintSpooler Service Executable File Creation
 61
 62The Print Spooler service in Windows manages print jobs, but vulnerabilities like CVE-2020-1048 can be exploited for privilege escalation. Adversaries may create malicious DLL files executed by the spooler to gain elevated privileges. The detection rule identifies such threats by monitoring file creation events linked to the spooler process, focusing on DLL files, which are common vectors for exploitation.
 63
 64### Possible investigation steps
 65
 66- Review the alert details to confirm the presence of a file creation event with the extension "dll" associated with the "spoolsv.exe" process on a Windows host.
 67- Check the file path and name of the created DLL to determine if it matches known malicious patterns or locations typically used for exploitation.
 68- Investigate the source of the spoolsv.exe process by examining the parent process and any associated user accounts to identify potential unauthorized access or activity.
 69- Analyze recent system logs and security events for any other suspicious activities or anomalies around the time of the DLL creation, such as unexpected user logins or privilege changes.
 70- Verify the patch status of the affected system against the vulnerabilities CVE-2020-1048, CVE-2020-1337, and CVE-2020-1300 to ensure it is up to date and not susceptible to known exploits.
 71- If the DLL is confirmed to be malicious, isolate the affected system to prevent further exploitation and begin remediation efforts, including removing the malicious file and any associated threats.
 72
 73### False positive analysis
 74
 75- Legitimate DLL updates by trusted software can trigger the rule. Users should verify the source of the DLL and, if confirmed safe, add the software's update process to an exception list.
 76- System maintenance activities, such as Windows updates, may create DLLs that match the rule's criteria. Users can exclude these activities by identifying the associated update processes and adding them to the exception list.
 77- Custom in-house applications that interact with the Print Spooler service might generate DLLs during normal operation. Users should validate these applications and exclude their file creation events if they are deemed non-threatening.
 78- Security software or monitoring tools that interact with the Print Spooler service could inadvertently create DLLs. Users should confirm the legitimacy of these tools and configure exceptions for their operations.
 79
 80### Response and remediation
 81
 82- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.
 83- Terminate the spoolsv.exe process if it is confirmed to be executing a malicious DLL, to halt any ongoing malicious activity.
 84- Remove the malicious DLL file from the system to prevent re-execution and further exploitation.
 85- Apply the latest security patches and updates to the affected system, specifically addressing CVE-2020-1048, CVE-2020-1337, and CVE-2020-1300, to close the vulnerabilities exploited by the adversary.
 86- Conduct a thorough review of user accounts and privileges on the affected system to ensure no unauthorized privilege escalation has occurred.
 87- Monitor the network for any signs of similar exploitation attempts or related suspicious activity, using enhanced logging and alerting mechanisms.
 88- Report the incident to the appropriate internal security team or external authorities if required, providing details of the exploit and actions taken for further investigation and response."""
 89
 90[[rule.filters]]
 91[rule.filters.meta]
 92negate = false
 93[rule.filters.query.wildcard."file.path"]
 94"case_insensitive" = true
 95"value" = "?:\\\\Windows\\\\Sys?????\\\\*"
 96
 97[[rule.filters]]
 98[rule.filters.meta]
 99negate = true
100[rule.filters.query.wildcard."file.path"]
101"case_insensitive" = true
102"value" = "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll"
103
104[[rule.filters]]
105[rule.filters.meta]
106negate = true
107[rule.filters.query.wildcard."file.path"]
108"case_insensitive" = true
109"value" = "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"
110
111[[rule.filters]]
112[rule.filters.meta]
113negate = true
114[rule.filters.query.wildcard."file.path"]
115"case_insensitive" = true
116"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll"
117
118[[rule.filters]]
119[rule.filters.meta]
120negate = true
121[rule.filters.query.wildcard."file.path"]
122"case_insensitive" = true
123"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll"
124
125[[rule.filters]]
126[rule.filters.meta]
127negate = true
128[rule.filters.query.wildcard."file.path"]
129"case_insensitive" = true
130"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll"
131
132[[rule.filters]]
133[rule.filters.meta]
134negate = true
135[rule.filters.query.wildcard."file.path"]
136"case_insensitive" = true
137"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll"
138
139[[rule.threat]]
140framework = "MITRE ATT&CK"
141[[rule.threat.technique]]
142id = "T1068"
143name = "Exploitation for Privilege Escalation"
144reference = "https://attack.mitre.org/techniques/T1068/"
145
146
147[rule.threat.tactic]
148id = "TA0004"
149name = "Privilege Escalation"
150reference = "https://attack.mitre.org/tactics/TA0004/"
151
152[rule.new_terms]
153field = "new_terms_fields"
154value = ["host.id", "file.path"]
155[[rule.new_terms.history_window_start]]
156field = "history_window_start"
157value = "now-14d"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

The Print Spooler service in Windows manages print jobs, but vulnerabilities like CVE-2020-1048 can be exploited for privilege escalation. Adversaries may create malicious DLL files executed by the spooler to gain elevated privileges. The detection rule identifies such threats by monitoring file creation events linked to the spooler process, focusing on DLL files, which are common vectors for exploitation.

  • Review the alert details to confirm the presence of a file creation event with the extension "dll" associated with the "spoolsv.exe" process on a Windows host.
  • Check the file path and name of the created DLL to determine if it matches known malicious patterns or locations typically used for exploitation.
  • Investigate the source of the spoolsv.exe process by examining the parent process and any associated user accounts to identify potential unauthorized access or activity.
  • Analyze recent system logs and security events for any other suspicious activities or anomalies around the time of the DLL creation, such as unexpected user logins or privilege changes.
  • Verify the patch status of the affected system against the vulnerabilities CVE-2020-1048, CVE-2020-1337, and CVE-2020-1300 to ensure it is up to date and not susceptible to known exploits.
  • If the DLL is confirmed to be malicious, isolate the affected system to prevent further exploitation and begin remediation efforts, including removing the malicious file and any associated threats.
  • Legitimate DLL updates by trusted software can trigger the rule. Users should verify the source of the DLL and, if confirmed safe, add the software's update process to an exception list.
  • System maintenance activities, such as Windows updates, may create DLLs that match the rule's criteria. Users can exclude these activities by identifying the associated update processes and adding them to the exception list.
  • Custom in-house applications that interact with the Print Spooler service might generate DLLs during normal operation. Users should validate these applications and exclude their file creation events if they are deemed non-threatening.
  • Security software or monitoring tools that interact with the Print Spooler service could inadvertently create DLLs. Users should confirm the legitimacy of these tools and configure exceptions for their operations.
  • Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.
  • Terminate the spoolsv.exe process if it is confirmed to be executing a malicious DLL, to halt any ongoing malicious activity.
  • Remove the malicious DLL file from the system to prevent re-execution and further exploitation.
  • Apply the latest security patches and updates to the affected system, specifically addressing CVE-2020-1048, CVE-2020-1337, and CVE-2020-1300, to close the vulnerabilities exploited by the adversary.
  • Conduct a thorough review of user accounts and privileges on the affected system to ensure no unauthorized privilege escalation has occurred.
  • Monitor the network for any signs of similar exploitation attempts or related suspicious activity, using enhanced logging and alerting mechanisms.
  • Report the incident to the appropriate internal security team or external authorities if required, providing details of the exploit and actions taken for further investigation and response.

References

Related rules

to-top