Unusual Print Spooler Child Process

Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2021/07/06"
  3integration = ["endpoint", "windows", "system"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege
 13escalation vulnerabilities related to the Printing Service on Windows.
 14"""
 15false_positives = [
 16    """
 17    Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and
 18    signature information.
 19    """,
 20]
 21from = "now-9m"
 22index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Unusual Print Spooler Child Process"
 26references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"]
 27risk_score = 47
 28rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1"
 29setup = """## Setup
 30
 31If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 32events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 33Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 34`event.ingested` to @timestamp.
 35For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 36"""
 37severity = "medium"
 38tags = [
 39    "Domain: Endpoint",
 40    "OS: Windows",
 41    "Use Case: Threat Detection",
 42    "Tactic: Privilege Escalation",
 43    "Use Case: Vulnerability",
 44    "Data Source: Elastic Defend",
 45    "Data Source: System",
 46    "Resources: Investigation Guide",
 47]
 48timestamp_override = "event.ingested"
 49type = "eql"
 50
 51query = '''
 52process where host.os.type == "windows" and event.type == "start" and
 53 process.parent.name : "spoolsv.exe" and process.command_line != null and
 54 (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and
 55
 56 /* exclusions for FP control below */
 57 not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and
 58 not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and
 59 not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and
 60 not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and
 61 not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and
 62 not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") and
 63 not process.executable : (
 64    "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe",
 65    "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe"
 66 )
 67'''
 68note = """## Triage and analysis
 69
 70> **Disclaimer**:
 71> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 72
 73### Investigating Unusual Print Spooler Child Process
 74
 75The Print Spooler service, integral to Windows environments, manages print jobs and interactions with printers. Adversaries may exploit vulnerabilities in this service to escalate privileges, gaining unauthorized access or control. The detection rule identifies suspicious child processes spawned by the Print Spooler, excluding known legitimate processes, to flag potential exploitation attempts, focusing on unusual command lines and integrity levels.
 76
 77### Possible investigation steps
 78
 79- Review the process details to identify the unusual child process spawned by spoolsv.exe, focusing on the process name and command line arguments to understand its purpose and potential malicious intent.
 80- Check the integrity level of the process using the fields process.Ext.token.integrity_level_name or winlog.event_data.IntegrityLevel to confirm if it is running with elevated privileges, which could indicate an exploitation attempt.
 81- Investigate the parent-child relationship by examining the process tree to determine if there are any other suspicious processes associated with the same parent process, spoolsv.exe.
 82- Cross-reference the process executable path against known legitimate software paths to ensure it is not a false positive, especially if the executable is not listed in the exclusion paths.
 83- Analyze recent system logs and security events around the time of the alert to identify any other anomalous activities or patterns that could be related to the potential exploitation attempt.
 84- If the process is confirmed suspicious, isolate the affected system to prevent further exploitation and conduct a deeper forensic analysis to understand the scope and impact of the incident.
 85
 86### False positive analysis
 87
 88- Legitimate print-related processes like splwow64.exe, PDFCreator.exe, and acrodist.exe may trigger alerts. These are excluded in the rule to prevent false positives.
 89- System processes such as msiexec.exe, route.exe, and WerFault.exe are known to be legitimate child processes of the Print Spooler and are excluded to reduce false alerts.
 90- Commands involving net.exe for starting or stopping services are common in administrative tasks and are excluded to avoid unnecessary alerts.
 91- Command-line operations involving cmd.exe or powershell.exe that reference .spl files or system paths are often legitimate and are excluded to minimize false positives.
 92- Network configuration changes using netsh.exe, such as adding port openings or rules, are typical in network management and are excluded to prevent false alerts.
 93- Registration of PrintConfig.dll via regsvr32.exe is a known legitimate operation and is excluded to avoid false positives.
 94- Executables from known paths like CutePDF Writer and GPLGS are excluded to prevent alerts from common, non-threatening applications.
 95
 96### Response and remediation
 97
 98- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.
 99- Terminate any suspicious child processes spawned by the Print Spooler service that do not match known legitimate processes or command lines.
100- Conduct a thorough review of the system's security logs to identify any unauthorized access or privilege escalation attempts related to the Print Spooler service.
101- Apply the latest security patches and updates to the Windows operating system and specifically to the Print Spooler service to mitigate known vulnerabilities.
102- Restore the system from a clean backup if any unauthorized changes or malicious activities are confirmed.
103- Monitor the system closely for any recurrence of similar suspicious activities, ensuring enhanced logging and alerting are in place for spoolsv.exe and its child processes.
104- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network."""
105
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109[[rule.threat.technique]]
110id = "T1068"
111name = "Exploitation for Privilege Escalation"
112reference = "https://attack.mitre.org/techniques/T1068/"
113
114
115[rule.threat.tactic]
116id = "TA0004"
117name = "Privilege Escalation"
118reference = "https://attack.mitre.org/tactics/TA0004/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

The Print Spooler service, integral to Windows environments, manages print jobs and interactions with printers. Adversaries may exploit vulnerabilities in this service to escalate privileges, gaining unauthorized access or control. The detection rule identifies suspicious child processes spawned by the Print Spooler, excluding known legitimate processes, to flag potential exploitation attempts, focusing on unusual command lines and integrity levels.

  • Review the process details to identify the unusual child process spawned by spoolsv.exe, focusing on the process name and command line arguments to understand its purpose and potential malicious intent.
  • Check the integrity level of the process using the fields process.Ext.token.integrity_level_name or winlog.event_data.IntegrityLevel to confirm if it is running with elevated privileges, which could indicate an exploitation attempt.
  • Investigate the parent-child relationship by examining the process tree to determine if there are any other suspicious processes associated with the same parent process, spoolsv.exe.
  • Cross-reference the process executable path against known legitimate software paths to ensure it is not a false positive, especially if the executable is not listed in the exclusion paths.
  • Analyze recent system logs and security events around the time of the alert to identify any other anomalous activities or patterns that could be related to the potential exploitation attempt.
  • If the process is confirmed suspicious, isolate the affected system to prevent further exploitation and conduct a deeper forensic analysis to understand the scope and impact of the incident.
  • Legitimate print-related processes like splwow64.exe, PDFCreator.exe, and acrodist.exe may trigger alerts. These are excluded in the rule to prevent false positives.
  • System processes such as msiexec.exe, route.exe, and WerFault.exe are known to be legitimate child processes of the Print Spooler and are excluded to reduce false alerts.
  • Commands involving net.exe for starting or stopping services are common in administrative tasks and are excluded to avoid unnecessary alerts.
  • Command-line operations involving cmd.exe or powershell.exe that reference .spl files or system paths are often legitimate and are excluded to minimize false positives.
  • Network configuration changes using netsh.exe, such as adding port openings or rules, are typical in network management and are excluded to prevent false alerts.
  • Registration of PrintConfig.dll via regsvr32.exe is a known legitimate operation and is excluded to avoid false positives.
  • Executables from known paths like CutePDF Writer and GPLGS are excluded to prevent alerts from common, non-threatening applications.
  • Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.
  • Terminate any suspicious child processes spawned by the Print Spooler service that do not match known legitimate processes or command lines.
  • Conduct a thorough review of the system's security logs to identify any unauthorized access or privilege escalation attempts related to the Print Spooler service.
  • Apply the latest security patches and updates to the Windows operating system and specifically to the Print Spooler service to mitigate known vulnerabilities.
  • Restore the system from a clean backup if any unauthorized changes or malicious activities are confirmed.
  • Monitor the system closely for any recurrence of similar suspicious activities, ensuring enhanced logging and alerting are in place for spoolsv.exe and its child processes.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.

References

Related rules

to-top