Suspicious Print Spooler File Deletion

Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/07/06"
 3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful
13privilege escalation via Print Spooler service related vulnerabilities.
14"""
15false_positives = [
16    """
17    Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as
18    manufacturer and signature information.
19    """,
20]
21from = "now-9m"
22index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
23language = "eql"
24license = "Elastic License v2"
25name = "Suspicious Print Spooler File Deletion"
26references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"]
27risk_score = 47
28rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799"
29severity = "medium"
30tags = [
31    "Domain: Endpoint",
32    "OS: Windows",
33    "Use Case: Threat Detection",
34    "Tactic: Privilege Escalation",
35    "Data Source: Elastic Endgame",
36    "Use Case: Vulnerability",
37    "Data Source: Elastic Defend",
38    "Data Source: Sysmon",
39    "Data Source: Microsoft Defender for Endpoint",
40    "Data Source: SentinelOne",
41    "Resources: Investigation Guide",
42]
43timestamp_override = "event.ingested"
44type = "eql"
45
46query = '''
47file where host.os.type == "windows" and event.type == "deletion" and
48  file.extension : "dll" and file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.dll" and
49  not process.name : ("spoolsv.exe", "dllhost.exe", "explorer.exe")
50'''
51note = """## Triage and analysis
52
53> **Disclaimer**:
54> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
55
56### Investigating Suspicious Print Spooler File Deletion
57
58The Print Spooler service in Windows manages print jobs and interactions with printers. Adversaries exploit vulnerabilities in this service to escalate privileges, often deleting print driver files to cover their tracks. The detection rule identifies unusual deletions of these files by processes other than legitimate ones, signaling potential misuse and aiding in early threat detection.
59
60### Possible investigation steps
61
62- Review the alert details to identify the specific file path and name of the deleted DLL file within "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\".
63- Examine the process responsible for the deletion by checking the process name and its parent process to determine if it is a known legitimate process or a potentially malicious one.
64- Investigate the timeline of events around the deletion to identify any preceding or subsequent suspicious activities, such as privilege escalation attempts or unauthorized access.
65- Check for any recent vulnerabilities or exploits related to the Print Spooler service that might have been leveraged in this context.
66- Correlate the event with other security logs and alerts from data sources like Sysmon, Microsoft Defender for Endpoint, or SentinelOne to gather additional context and confirm the presence of malicious activity.
67- Assess the affected system for any signs of compromise or persistence mechanisms that may have been established following the deletion event.
68
69### False positive analysis
70
71- System maintenance or updates may trigger legitimate deletions of print driver files. Monitor scheduled maintenance activities and correlate them with detected events to confirm legitimacy.
72- Third-party printer management software might delete or update driver files as part of its normal operation. Identify and whitelist these processes if they are verified as non-threatening.
73- Custom scripts or administrative tools used by IT staff for printer management could inadvertently match the rule's criteria. Review and document these tools, then create exceptions for known safe operations.
74- Automated deployment tools that update or clean up printer drivers across the network might cause false positives. Ensure these tools are recognized and excluded from the detection rule if they are part of routine operations.
75
76### Response and remediation
77
78- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
79- Terminate any suspicious processes identified as responsible for the deletion of print driver files, ensuring they are not legitimate system processes.
80- Restore the deleted print driver files from a known good backup to ensure the Print Spooler service functions correctly.
81- Conduct a thorough review of user accounts and privileges on the affected system to identify and revoke any unauthorized privilege escalations.
82- Apply the latest security patches and updates to the Print Spooler service and related components to mitigate known vulnerabilities.
83- Monitor the affected system and network for any signs of further suspicious activity, focusing on similar file deletion patterns or privilege escalation attempts.
84- Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for broader organizational response measures."""
85
86
87[[rule.threat]]
88framework = "MITRE ATT&CK"
89[[rule.threat.technique]]
90id = "T1068"
91name = "Exploitation for Privilege Escalation"
92reference = "https://attack.mitre.org/techniques/T1068/"
93
94
95[rule.threat.tactic]
96id = "TA0004"
97name = "Privilege Escalation"
98reference = "https://attack.mitre.org/tactics/TA0004/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

The Print Spooler service in Windows manages print jobs and interactions with printers. Adversaries exploit vulnerabilities in this service to escalate privileges, often deleting print driver files to cover their tracks. The detection rule identifies unusual deletions of these files by processes other than legitimate ones, signaling potential misuse and aiding in early threat detection.

  • Review the alert details to identify the specific file path and name of the deleted DLL file within "C:\Windows\System32\spool\drivers\x64\3".
  • Examine the process responsible for the deletion by checking the process name and its parent process to determine if it is a known legitimate process or a potentially malicious one.
  • Investigate the timeline of events around the deletion to identify any preceding or subsequent suspicious activities, such as privilege escalation attempts or unauthorized access.
  • Check for any recent vulnerabilities or exploits related to the Print Spooler service that might have been leveraged in this context.
  • Correlate the event with other security logs and alerts from data sources like Sysmon, Microsoft Defender for Endpoint, or SentinelOne to gather additional context and confirm the presence of malicious activity.
  • Assess the affected system for any signs of compromise or persistence mechanisms that may have been established following the deletion event.
  • System maintenance or updates may trigger legitimate deletions of print driver files. Monitor scheduled maintenance activities and correlate them with detected events to confirm legitimacy.
  • Third-party printer management software might delete or update driver files as part of its normal operation. Identify and whitelist these processes if they are verified as non-threatening.
  • Custom scripts or administrative tools used by IT staff for printer management could inadvertently match the rule's criteria. Review and document these tools, then create exceptions for known safe operations.
  • Automated deployment tools that update or clean up printer drivers across the network might cause false positives. Ensure these tools are recognized and excluded from the detection rule if they are part of routine operations.
  • Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
  • Terminate any suspicious processes identified as responsible for the deletion of print driver files, ensuring they are not legitimate system processes.
  • Restore the deleted print driver files from a known good backup to ensure the Print Spooler service functions correctly.
  • Conduct a thorough review of user accounts and privileges on the affected system to identify and revoke any unauthorized privilege escalations.
  • Apply the latest security patches and updates to the Print Spooler service and related components to mitigate known vulnerabilities.
  • Monitor the affected system and network for any signs of further suspicious activity, focusing on similar file deletion patterns or privilege escalation attempts.
  • Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for broader organizational response measures.

References

Related rules

to-top