Unusual Print Spooler Child Process
Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/06"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege
11escalation vulnerabilities related to the Printing Service on Windows.
12"""
13false_positives = [
14 """
15 Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and
16 signature information.
17 """,
18]
19from = "now-9m"
20index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"]
21language = "eql"
22license = "Elastic License v2"
23name = "Unusual Print Spooler Child Process"
24references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"]
25risk_score = 47
26rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1"
27setup = """## Setup
28
29If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
30events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
31Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
32`event.ingested` to @timestamp.
33For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
34"""
35severity = "medium"
36tags = [
37 "Domain: Endpoint",
38 "OS: Windows",
39 "Use Case: Threat Detection",
40 "Tactic: Privilege Escalation",
41 "Use Case: Vulnerability",
42 "Data Source: Elastic Defend",
43]
44timestamp_override = "event.ingested"
45type = "eql"
46
47query = '''
48process where host.os.type == "windows" and event.type == "start" and
49 process.parent.name : "spoolsv.exe" and process.command_line != null and
50 (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and
51
52 /* exclusions for FP control below */
53 not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and
54 not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and
55 not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and
56 not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and
57 not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and
58 not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") and
59 not process.executable : (
60 "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe",
61 "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe"
62 )
63'''
64
65
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68[[rule.threat.technique]]
69id = "T1068"
70name = "Exploitation for Privilege Escalation"
71reference = "https://attack.mitre.org/techniques/T1068/"
72
73
74[rule.threat.tactic]
75id = "TA0004"
76name = "Privilege Escalation"
77reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- Persistence via Update Orchestrator Service Hijack
- Potential Privilege Escalation via InstallerFileTakeOver
- Suspicious Print Spooler File Deletion
- Suspicious Print Spooler Point and Print DLL
- Suspicious Print Spooler SPL File Created