Unusual Print Spooler Child Process

  1[metadata]
  2creation_date = "2021/07/06"
  3integration = ["endpoint", "windows", "system"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege
 11escalation vulnerabilities related to the Printing Service on Windows.
 12"""
 13false_positives = [
 14    """
 15    Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and
 16    signature information.
 17    """,
 18]
 19from = "now-9m"
 20index = ["logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "Unusual Print Spooler Child Process"
 24note = """## Triage and analysis
 25
 26> **Disclaimer**:
 27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 28
 29### Investigating Unusual Print Spooler Child Process
 30
 31The Print Spooler service, integral to Windows environments, manages print jobs and interactions with printers. Adversaries may exploit vulnerabilities in this service to escalate privileges, gaining unauthorized access or control. The detection rule identifies suspicious child processes spawned by the Print Spooler, excluding known legitimate processes, to flag potential exploitation attempts, focusing on unusual command lines and integrity levels.
 32
 33### Possible investigation steps
 34
 35- Review the process details to identify the unusual child process spawned by spoolsv.exe, focusing on the process name and command line arguments to understand its purpose and potential malicious intent.
 36- Check the integrity level of the process using the fields process.Ext.token.integrity_level_name or winlog.event_data.IntegrityLevel to confirm if it is running with elevated privileges, which could indicate an exploitation attempt.
 37- Investigate the parent-child relationship by examining the process tree to determine if there are any other suspicious processes associated with the same parent process, spoolsv.exe.
 38- Cross-reference the process executable path against known legitimate software paths to ensure it is not a false positive, especially if the executable is not listed in the exclusion paths.
 39- Analyze recent system logs and security events around the time of the alert to identify any other anomalous activities or patterns that could be related to the potential exploitation attempt.
 40- If the process is confirmed suspicious, isolate the affected system to prevent further exploitation and conduct a deeper forensic analysis to understand the scope and impact of the incident.
 41
 42### False positive analysis
 43
 44- Legitimate print-related processes like splwow64.exe, PDFCreator.exe, and acrodist.exe may trigger alerts. These are excluded in the rule to prevent false positives.
 45- System processes such as msiexec.exe, route.exe, and WerFault.exe are known to be legitimate child processes of the Print Spooler and are excluded to reduce false alerts.
 46- Commands involving net.exe for starting or stopping services are common in administrative tasks and are excluded to avoid unnecessary alerts.
 47- Command-line operations involving cmd.exe or powershell.exe that reference .spl files or system paths are often legitimate and are excluded to minimize false positives.
 48- Network configuration changes using netsh.exe, such as adding port openings or rules, are typical in network management and are excluded to prevent false alerts.
 49- Registration of PrintConfig.dll via regsvr32.exe is a known legitimate operation and is excluded to avoid false positives.
 50- Executables from known paths like CutePDF Writer and GPLGS are excluded to prevent alerts from common, non-threatening applications.
 51
 52### Response and remediation
 53
 54- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.
 55- Terminate any suspicious child processes spawned by the Print Spooler service that do not match known legitimate processes or command lines.
 56- Conduct a thorough review of the system's security logs to identify any unauthorized access or privilege escalation attempts related to the Print Spooler service.
 57- Apply the latest security patches and updates to the Windows operating system and specifically to the Print Spooler service to mitigate known vulnerabilities.
 58- Restore the system from a clean backup if any unauthorized changes or malicious activities are confirmed.
 59- Monitor the system closely for any recurrence of similar suspicious activities, ensuring enhanced logging and alerting are in place for spoolsv.exe and its child processes.
 60- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network."""
 61references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"]
 62risk_score = 47
 63rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1"
 64severity = "medium"
 65tags = [
 66    "Domain: Endpoint",
 67    "OS: Windows",
 68    "Use Case: Threat Detection",
 69    "Tactic: Privilege Escalation",
 70    "Use Case: Vulnerability",
 71    "Data Source: Elastic Defend",
 72    "Data Source: Windows Security Event Logs",
 73    "Resources: Investigation Guide",
 74]
 75timestamp_override = "event.ingested"
 76type = "eql"
 77
 78query = '''
 79process where host.os.type == "windows" and event.type == "start" and
 80 process.parent.name : "spoolsv.exe" and process.command_line != null and
 81 (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and
 82
 83 /* exclusions for FP control below */
 84 not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and
 85 not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and
 86 not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and
 87 not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and
 88 not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and
 89 not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") and
 90 not process.executable : (
 91    "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe",
 92    "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe"
 93 )
 94'''
 95
 96
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99[[rule.threat.technique]]
100id = "T1068"
101name = "Exploitation for Privilege Escalation"
102reference = "https://attack.mitre.org/techniques/T1068/"
103
104
105[rule.threat.tactic]
106id = "TA0004"
107name = "Privilege Escalation"
108reference = "https://attack.mitre.org/tactics/TA0004/"