Unusual Print Spooler Child Process
Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/06"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege
13escalation vulnerabilities related to the Printing Service on Windows.
14"""
15false_positives = [
16 """
17 Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and
18 signature information.
19 """,
20]
21from = "now-9m"
22index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"]
23language = "eql"
24license = "Elastic License v2"
25name = "Unusual Print Spooler Child Process"
26references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"]
27risk_score = 47
28rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1"
29setup = """## Setup
30
31If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
32events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
33Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
34`event.ingested` to @timestamp.
35For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
36"""
37severity = "medium"
38tags = [
39 "Domain: Endpoint",
40 "OS: Windows",
41 "Use Case: Threat Detection",
42 "Tactic: Privilege Escalation",
43 "Use Case: Vulnerability",
44 "Data Source: Elastic Defend",
45 "Data Source: System",
46 "Resources: Investigation Guide",
47]
48timestamp_override = "event.ingested"
49type = "eql"
50
51query = '''
52process where host.os.type == "windows" and event.type == "start" and
53 process.parent.name : "spoolsv.exe" and process.command_line != null and
54 (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and
55
56 /* exclusions for FP control below */
57 not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and
58 not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and
59 not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and
60 not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and
61 not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and
62 not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") and
63 not process.executable : (
64 "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe",
65 "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe"
66 )
67'''
68note = """## Triage and analysis
69
70> **Disclaimer**:
71> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
72
73### Investigating Unusual Print Spooler Child Process
74
75The Print Spooler service, integral to Windows environments, manages print jobs and interactions with printers. Adversaries may exploit vulnerabilities in this service to escalate privileges, gaining unauthorized access or control. The detection rule identifies suspicious child processes spawned by the Print Spooler, excluding known legitimate processes, to flag potential exploitation attempts, focusing on unusual command lines and integrity levels.
76
77### Possible investigation steps
78
79- Review the process details to identify the unusual child process spawned by spoolsv.exe, focusing on the process name and command line arguments to understand its purpose and potential malicious intent.
80- Check the integrity level of the process using the fields process.Ext.token.integrity_level_name or winlog.event_data.IntegrityLevel to confirm if it is running with elevated privileges, which could indicate an exploitation attempt.
81- Investigate the parent-child relationship by examining the process tree to determine if there are any other suspicious processes associated with the same parent process, spoolsv.exe.
82- Cross-reference the process executable path against known legitimate software paths to ensure it is not a false positive, especially if the executable is not listed in the exclusion paths.
83- Analyze recent system logs and security events around the time of the alert to identify any other anomalous activities or patterns that could be related to the potential exploitation attempt.
84- If the process is confirmed suspicious, isolate the affected system to prevent further exploitation and conduct a deeper forensic analysis to understand the scope and impact of the incident.
85
86### False positive analysis
87
88- Legitimate print-related processes like splwow64.exe, PDFCreator.exe, and acrodist.exe may trigger alerts. These are excluded in the rule to prevent false positives.
89- System processes such as msiexec.exe, route.exe, and WerFault.exe are known to be legitimate child processes of the Print Spooler and are excluded to reduce false alerts.
90- Commands involving net.exe for starting or stopping services are common in administrative tasks and are excluded to avoid unnecessary alerts.
91- Command-line operations involving cmd.exe or powershell.exe that reference .spl files or system paths are often legitimate and are excluded to minimize false positives.
92- Network configuration changes using netsh.exe, such as adding port openings or rules, are typical in network management and are excluded to prevent false alerts.
93- Registration of PrintConfig.dll via regsvr32.exe is a known legitimate operation and is excluded to avoid false positives.
94- Executables from known paths like CutePDF Writer and GPLGS are excluded to prevent alerts from common, non-threatening applications.
95
96### Response and remediation
97
98- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.
99- Terminate any suspicious child processes spawned by the Print Spooler service that do not match known legitimate processes or command lines.
100- Conduct a thorough review of the system's security logs to identify any unauthorized access or privilege escalation attempts related to the Print Spooler service.
101- Apply the latest security patches and updates to the Windows operating system and specifically to the Print Spooler service to mitigate known vulnerabilities.
102- Restore the system from a clean backup if any unauthorized changes or malicious activities are confirmed.
103- Monitor the system closely for any recurrence of similar suspicious activities, ensuring enhanced logging and alerting are in place for spoolsv.exe and its child processes.
104- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network."""
105
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109[[rule.threat.technique]]
110id = "T1068"
111name = "Exploitation for Privilege Escalation"
112reference = "https://attack.mitre.org/techniques/T1068/"
113
114
115[rule.threat.tactic]
116id = "TA0004"
117name = "Privilege Escalation"
118reference = "https://attack.mitre.org/tactics/TA0004/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Unusual Print Spooler Child Process
The Print Spooler service, integral to Windows environments, manages print jobs and interactions with printers. Adversaries may exploit vulnerabilities in this service to escalate privileges, gaining unauthorized access or control. The detection rule identifies suspicious child processes spawned by the Print Spooler, excluding known legitimate processes, to flag potential exploitation attempts, focusing on unusual command lines and integrity levels.
Possible investigation steps
- Review the process details to identify the unusual child process spawned by spoolsv.exe, focusing on the process name and command line arguments to understand its purpose and potential malicious intent.
- Check the integrity level of the process using the fields process.Ext.token.integrity_level_name or winlog.event_data.IntegrityLevel to confirm if it is running with elevated privileges, which could indicate an exploitation attempt.
- Investigate the parent-child relationship by examining the process tree to determine if there are any other suspicious processes associated with the same parent process, spoolsv.exe.
- Cross-reference the process executable path against known legitimate software paths to ensure it is not a false positive, especially if the executable is not listed in the exclusion paths.
- Analyze recent system logs and security events around the time of the alert to identify any other anomalous activities or patterns that could be related to the potential exploitation attempt.
- If the process is confirmed suspicious, isolate the affected system to prevent further exploitation and conduct a deeper forensic analysis to understand the scope and impact of the incident.
False positive analysis
- Legitimate print-related processes like splwow64.exe, PDFCreator.exe, and acrodist.exe may trigger alerts. These are excluded in the rule to prevent false positives.
- System processes such as msiexec.exe, route.exe, and WerFault.exe are known to be legitimate child processes of the Print Spooler and are excluded to reduce false alerts.
- Commands involving net.exe for starting or stopping services are common in administrative tasks and are excluded to avoid unnecessary alerts.
- Command-line operations involving cmd.exe or powershell.exe that reference .spl files or system paths are often legitimate and are excluded to minimize false positives.
- Network configuration changes using netsh.exe, such as adding port openings or rules, are typical in network management and are excluded to prevent false alerts.
- Registration of PrintConfig.dll via regsvr32.exe is a known legitimate operation and is excluded to avoid false positives.
- Executables from known paths like CutePDF Writer and GPLGS are excluded to prevent alerts from common, non-threatening applications.
Response and remediation
- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.
- Terminate any suspicious child processes spawned by the Print Spooler service that do not match known legitimate processes or command lines.
- Conduct a thorough review of the system's security logs to identify any unauthorized access or privilege escalation attempts related to the Print Spooler service.
- Apply the latest security patches and updates to the Windows operating system and specifically to the Print Spooler service to mitigate known vulnerabilities.
- Restore the system from a clean backup if any unauthorized changes or malicious activities are confirmed.
- Monitor the system closely for any recurrence of similar suspicious activities, ensuring enhanced logging and alerting are in place for spoolsv.exe and its child processes.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.
References
Related rules
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Persistence via TelemetryController Scheduled Task Hijack
- Potential Exploitation of an Unquoted Service Path Vulnerability
- Potential Privileged Escalation via SamAccountName Spoofing
- Remote Computer Account DnsHostName Update