Suspicious PrintSpooler Service Executable File Creation

  1[metadata]
  2creation_date = "2020/08/14"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
 11information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted
 12system is patched.
 13"""
 14from = "now-9m"
 15index = [
 16    "winlogbeat-*",
 17    "logs-endpoint.events.file-*",
 18    "logs-windows.sysmon_operational-*",
 19    "endgame-*",
 20    "logs-m365_defender.event-*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "Suspicious PrintSpooler Service Executable File Creation"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Suspicious PrintSpooler Service Executable File Creation
 32
 33The Print Spooler service in Windows manages print jobs, but vulnerabilities like CVE-2020-1048 can be exploited for privilege escalation. Adversaries may create malicious DLL files executed by the spooler to gain elevated privileges. The detection rule identifies such threats by monitoring file creation events linked to the spooler process, focusing on DLL files, which are common vectors for exploitation.
 34
 35### Possible investigation steps
 36
 37- Review the alert details to confirm the presence of a file creation event with the extension "dll" associated with the "spoolsv.exe" process on a Windows host.
 38- Check the file path and name of the created DLL to determine if it matches known malicious patterns or locations typically used for exploitation.
 39- Investigate the source of the spoolsv.exe process by examining the parent process and any associated user accounts to identify potential unauthorized access or activity.
 40- Analyze recent system logs and security events for any other suspicious activities or anomalies around the time of the DLL creation, such as unexpected user logins or privilege changes.
 41- Verify the patch status of the affected system against the vulnerabilities CVE-2020-1048, CVE-2020-1337, and CVE-2020-1300 to ensure it is up to date and not susceptible to known exploits.
 42- If the DLL is confirmed to be malicious, isolate the affected system to prevent further exploitation and begin remediation efforts, including removing the malicious file and any associated threats.
 43
 44### False positive analysis
 45
 46- Legitimate DLL updates by trusted software can trigger the rule. Users should verify the source of the DLL and, if confirmed safe, add the software's update process to an exception list.
 47- System maintenance activities, such as Windows updates, may create DLLs that match the rule's criteria. Users can exclude these activities by identifying the associated update processes and adding them to the exception list.
 48- Custom in-house applications that interact with the Print Spooler service might generate DLLs during normal operation. Users should validate these applications and exclude their file creation events if they are deemed non-threatening.
 49- Security software or monitoring tools that interact with the Print Spooler service could inadvertently create DLLs. Users should confirm the legitimacy of these tools and configure exceptions for their operations.
 50
 51### Response and remediation
 52
 53- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.
 54- Terminate the spoolsv.exe process if it is confirmed to be executing a malicious DLL, to halt any ongoing malicious activity.
 55- Remove the malicious DLL file from the system to prevent re-execution and further exploitation.
 56- Apply the latest security patches and updates to the affected system, specifically addressing CVE-2020-1048, CVE-2020-1337, and CVE-2020-1300, to close the vulnerabilities exploited by the adversary.
 57- Conduct a thorough review of user accounts and privileges on the affected system to ensure no unauthorized privilege escalation has occurred.
 58- Monitor the network for any signs of similar exploitation attempts or related suspicious activity, using enhanced logging and alerting mechanisms.
 59- Report the incident to the appropriate internal security team or external authorities if required, providing details of the exploit and actions taken for further investigation and response."""
 60references = [
 61    "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
 62    "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files",
 63]
 64risk_score = 21
 65rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8"
 66severity = "low"
 67tags = [
 68    "Domain: Endpoint",
 69    "OS: Windows",
 70    "Use Case: Threat Detection",
 71    "Tactic: Privilege Escalation",
 72    "Data Source: Elastic Endgame",
 73    "Use Case: Vulnerability",
 74    "Data Source: Elastic Defend",
 75    "Data Source: Sysmon",
 76    "Data Source: Microsoft Defender for Endpoint",
 77    "Data Source: SentinelOne",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "new_terms"
 82
 83query = '''
 84event.category : "file" and host.os.type : "windows" and event.type : "creation" and
 85  process.name : "spoolsv.exe" and file.extension : "dll"
 86'''
 87
 88
 89[[rule.filters]]
 90
 91[rule.filters.meta]
 92negate = false
 93[rule.filters.query.wildcard."file.path"]
 94case_insensitive = true
 95value = "?:\\\\Windows\\\\Sys?????\\\\*"
 96[[rule.filters]]
 97
 98[rule.filters.meta]
 99negate = true
100[rule.filters.query.wildcard."file.path"]
101case_insensitive = true
102value = "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll"
103[[rule.filters]]
104
105[rule.filters.meta]
106negate = true
107[rule.filters.query.wildcard."file.path"]
108case_insensitive = true
109value = "?:\\Windows\\Sys?????\\u005lrs.dll"
110[[rule.filters]]
111
112[rule.filters.meta]
113negate = true
114[rule.filters.query.wildcard."file.path"]
115case_insensitive = true
116value = "?:\\Windows\\system32\\spool\\DRIVERS\\u0064\\\\*.dll"
117[[rule.filters]]
118
119[rule.filters.meta]
120negate = true
121[rule.filters.query.wildcard."file.path"]
122case_insensitive = true
123value = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll"
124[[rule.filters]]
125
126[rule.filters.meta]
127negate = true
128[rule.filters.query.wildcard."file.path"]
129case_insensitive = true
130value = "?:\\Windows\\system32\\spool\\PRTPROCS\\u0064\\\\*.dll"
131[[rule.filters]]
132
133[rule.filters.meta]
134negate = true
135[rule.filters.query.wildcard."file.path"]
136case_insensitive = true
137value = "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll"
138[[rule.threat]]
139framework = "MITRE ATT&CK"
140[[rule.threat.technique]]
141id = "T1068"
142name = "Exploitation for Privilege Escalation"
143reference = "https://attack.mitre.org/techniques/T1068/"
144
145
146[rule.threat.tactic]
147id = "TA0004"
148name = "Privilege Escalation"
149reference = "https://attack.mitre.org/tactics/TA0004/"
150
151[rule.new_terms]
152field = "new_terms_fields"
153value = ["host.id", "file.path"]
154[[rule.new_terms.history_window_start]]
155field = "history_window_start"
156value = "now-14d"