Unusual Print Spooler Child Process
Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/06"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege
13escalation vulnerabilities related to the Printing Service on Windows.
14"""
15false_positives = [
16 """
17 Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and
18 signature information.
19 """,
20]
21from = "now-9m"
22index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"]
23language = "eql"
24license = "Elastic License v2"
25name = "Unusual Print Spooler Child Process"
26references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"]
27risk_score = 47
28rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1"
29setup = """## Setup
30
31If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
32events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
33Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
34`event.ingested` to @timestamp.
35For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
36"""
37severity = "medium"
38tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43process where host.os.type == "windows" and event.type == "start" and
44 process.parent.name : "spoolsv.exe" and process.command_line != null and
45 (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and
46
47 /* exclusions for FP control below */
48 not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and
49 not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and
50 not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and
51 not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and
52 not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and
53 not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") and
54 not process.executable : (
55 "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe",
56 "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe"
57 )
58'''
59
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1068"
65name = "Exploitation for Privilege Escalation"
66reference = "https://attack.mitre.org/techniques/T1068/"
67
68
69[rule.threat.tactic]
70id = "TA0004"
71name = "Privilege Escalation"
72reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- Persistence via Update Orchestrator Service Hijack
- Potential Privilege Escalation via InstallerFileTakeOver
- Suspicious Print Spooler File Deletion
- Suspicious Print Spooler Point and Print DLL
- Suspicious Print Spooler SPL File Created