Deprecated - Suspicious PrintSpooler Service Executable File Creation

  1[metadata]
  2creation_date = "2020/08/14"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
 11information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted
 12system is patched.
 13"""
 14from = "now-9m"
 15index = [
 16    "winlogbeat-*",
 17    "logs-endpoint.events.file-*",
 18    "logs-windows.sysmon_operational-*",
 19    "endgame-*",
 20    "logs-m365_defender.event-*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "Deprecated - Suspicious PrintSpooler Service Executable File Creation"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Deprecated - Suspicious PrintSpooler Service Executable File Creation
 32
 33The Print Spooler service in Windows manages print jobs, but vulnerabilities like CVE-2020-1048 can be exploited for privilege escalation. Adversaries may create malicious DLL files executed by the spooler to gain elevated privileges. The detection rule identifies such threats by monitoring file creation events linked to the spooler process, focusing on DLL files, which are common vectors for exploitation.
 34
 35### Possible investigation steps
 36
 37- Review the alert details to confirm the presence of a file creation event with the extension "dll" associated with the "spoolsv.exe" process on a Windows host.
 38- Check the file path and name of the created DLL to determine if it matches known malicious patterns or locations typically used for exploitation.
 39- Investigate the source of the spoolsv.exe process by examining the parent process and any associated user accounts to identify potential unauthorized access or activity.
 40- Analyze recent system logs and security events for any other suspicious activities or anomalies around the time of the DLL creation, such as unexpected user logins or privilege changes.
 41- Verify the patch status of the affected system against the vulnerabilities CVE-2020-1048, CVE-2020-1337, and CVE-2020-1300 to ensure it is up to date and not susceptible to known exploits.
 42- If the DLL is confirmed to be malicious, isolate the affected system to prevent further exploitation and begin remediation efforts, including removing the malicious file and any associated threats.
 43
 44### False positive analysis
 45
 46- Legitimate DLL updates by trusted software can trigger the rule. Users should verify the source of the DLL and, if confirmed safe, add the software's update process to an exception list.
 47- System maintenance activities, such as Windows updates, may create DLLs that match the rule's criteria. Users can exclude these activities by identifying the associated update processes and adding them to the exception list.
 48- Custom in-house applications that interact with the Print Spooler service might generate DLLs during normal operation. Users should validate these applications and exclude their file creation events if they are deemed non-threatening.
 49- Security software or monitoring tools that interact with the Print Spooler service could inadvertently create DLLs. Users should confirm the legitimacy of these tools and configure exceptions for their operations.
 50
 51### Response and remediation
 52
 53- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.
 54- Terminate the spoolsv.exe process if it is confirmed to be executing a malicious DLL, to halt any ongoing malicious activity.
 55- Remove the malicious DLL file from the system to prevent re-execution and further exploitation.
 56- Apply the latest security patches and updates to the affected system, specifically addressing CVE-2020-1048, CVE-2020-1337, and CVE-2020-1300, to close the vulnerabilities exploited by the adversary.
 57- Conduct a thorough review of user accounts and privileges on the affected system to ensure no unauthorized privilege escalation has occurred.
 58- Monitor the network for any signs of similar exploitation attempts or related suspicious activity, using enhanced logging and alerting mechanisms.
 59- Report the incident to the appropriate internal security team or external authorities if required, providing details of the exploit and actions taken for further investigation and response."""
 60references = [
 61    "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
 62    "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files",
 63]
 64risk_score = 21
 65rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8"
 66severity = "low"
 67tags = [
 68    "Domain: Endpoint",
 69    "OS: Windows",
 70    "Use Case: Threat Detection",
 71    "Tactic: Privilege Escalation",
 72    "Data Source: Elastic Endgame",
 73    "Use Case: Vulnerability",
 74    "Data Source: Elastic Defend",
 75    "Data Source: Sysmon",
 76    "Data Source: Microsoft Defender XDR",
 77    "Data Source: SentinelOne",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "new_terms"
 82
 83query = '''
 84event.category : "file" and host.os.type : "windows" and event.type : "creation" and
 85  process.name : "spoolsv.exe" and file.extension : "dll"
 86'''
 87
 88setup = """## Setup
 89
 90This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 91
 92Setup instructions: https://ela.st/install-elastic-defend
 93
 94### Additional data sources
 95
 96This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 97
 98- [Microsoft Defender XDR](https://ela.st/m365-defender)
 99- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
100- [Sysmon Event ID 11 - File Create](https://ela.st/sysmon-event-11-setup)
101"""
102
103
104[[rule.filters]]
105[rule.filters.meta]
106negate = false
107[rule.filters.query.wildcard."file.path"]
108case_insensitive = true
109value = "?:\\\\Windows\\\\Sys?????\\\\*"
110
111[[rule.filters]]
112[rule.filters.meta]
113negate = true
114[rule.filters.query.wildcard."file.path"]
115case_insensitive = true
116value = "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll"
117
118[[rule.filters]]
119[rule.filters.meta]
120negate = true
121[rule.filters.query.wildcard."file.path"]
122case_insensitive = true
123value = "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"
124
125[[rule.filters]]
126[rule.filters.meta]
127negate = true
128[rule.filters.query.wildcard."file.path"]
129case_insensitive = true
130value = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll"
131
132[[rule.filters]]
133[rule.filters.meta]
134negate = true
135[rule.filters.query.wildcard."file.path"]
136case_insensitive = true
137value = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll"
138
139[[rule.filters]]
140[rule.filters.meta]
141negate = true
142[rule.filters.query.wildcard."file.path"]
143case_insensitive = true
144value = "?:\\\\Windows\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll"
145
146[[rule.filters]]
147[rule.filters.meta]
148negate = true
149[rule.filters.query.wildcard."file.path"]
150case_insensitive = true
151value = "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll"
152
153
154[[rule.threat]]
155framework = "MITRE ATT&CK"
156
157[[rule.threat.technique]]
158id = "T1068"
159name = "Exploitation for Privilege Escalation"
160reference = "https://attack.mitre.org/techniques/T1068/"
161
162[[rule.threat.technique]]
163id = "T1574"
164name = "Hijack Execution Flow"
165reference = "https://attack.mitre.org/techniques/T1574/"
166
167[[rule.threat.technique.subtechnique]]
168id = "T1574.001"
169name = "DLL"
170reference = "https://attack.mitre.org/techniques/T1574/001/"
171
172[rule.threat.tactic]
173id = "TA0004"
174name = "Privilege Escalation"
175reference = "https://attack.mitre.org/tactics/TA0004/"
176[rule.new_terms]
177field = "new_terms_fields"
178value = ["host.id", "file.name"]
179[[rule.new_terms.history_window_start]]
180field = "history_window_start"
181value = "now-5d"