Unusual Print Spooler Child Process
Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/06"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege
13escalation vulnerabilities related to the Printing Service on Windows.
14"""
15false_positives = [
16 """
17 Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and
18 signature information.
19 """,
20]
21from = "now-9m"
22index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
23language = "eql"
24license = "Elastic License v2"
25name = "Unusual Print Spooler Child Process"
26note = """## Setup
27
28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
29"""
30references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"]
31risk_score = 47
32rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1"
33severity = "medium"
34tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39process where host.os.type == "windows" and event.type == "start" and
40 process.parent.name : "spoolsv.exe" and
41 (?process.Ext.token.integrity_level_name : "System" or
42 ?winlog.event_data.IntegrityLevel : "System") and
43
44 /* exclusions for FP control below */
45 not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and
46 not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and
47 not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and
48 not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and
49 not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and
50 not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*")
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1068"
58name = "Exploitation for Privilege Escalation"
59reference = "https://attack.mitre.org/techniques/T1068/"
60
61
62[rule.threat.tactic]
63id = "TA0004"
64name = "Privilege Escalation"
65reference = "https://attack.mitre.org/tactics/TA0004/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.
References
Related rules
- Potential Privilege Escalation via InstallerFileTakeOver
- Suspicious Print Spooler File Deletion
- Suspicious Print Spooler Point and Print DLL
- Suspicious Print Spooler SPL File Created
- Suspicious PrintSpooler Service Executable File Creation