Unusual Print Spooler Child Process
Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/06"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege
13escalation vulnerabilities related to the Printing Service on Windows.
14"""
15false_positives = [
16 """
17 Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and
18 signature information.
19 """,
20]
21from = "now-9m"
22index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"]
23language = "eql"
24license = "Elastic License v2"
25name = "Unusual Print Spooler Child Process"
26references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"]
27risk_score = 47
28rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1"
29setup = """## Setup
30
31If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
32events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
33Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
34`event.ingested` to @timestamp.
35For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
36"""
37severity = "medium"
38tags = [
39 "Domain: Endpoint",
40 "OS: Windows",
41 "Use Case: Threat Detection",
42 "Tactic: Privilege Escalation",
43 "Use Case: Vulnerability",
44 "Data Source: Elastic Defend",
45 "Data Source: System",
46]
47timestamp_override = "event.ingested"
48type = "eql"
49
50query = '''
51process where host.os.type == "windows" and event.type == "start" and
52 process.parent.name : "spoolsv.exe" and process.command_line != null and
53 (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and
54
55 /* exclusions for FP control below */
56 not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and
57 not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and
58 not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and
59 not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and
60 not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and
61 not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") and
62 not process.executable : (
63 "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe",
64 "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe"
65 )
66'''
67
68
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1068"
73name = "Exploitation for Privilege Escalation"
74reference = "https://attack.mitre.org/techniques/T1068/"
75
76
77[rule.threat.tactic]
78id = "TA0004"
79name = "Privilege Escalation"
80reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- Potential Exploitation of an Unquoted Service Path Vulnerability
- Potential Privileged Escalation via SamAccountName Spoofing
- Remote Computer Account DnsHostName Update
- Suspicious JetBrains TeamCity Child Process
- Suspicious Print Spooler File Deletion