Windows Spooler Service Suspicious Binary Load

 1title: Windows Spooler Service Suspicious Binary Load
 2id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14
 3status: test
 4description: Detect DLL Load from Spooler Service backup folder
 5references:
 6    - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
 7    - https://github.com/ly4k/SpoolFool
 8author: FPT.EagleEye, Thomas Patzke (improvements)
 9date: 2021-06-29
10modified: 2022-06-02
11tags:
12    - attack.persistence
13    - attack.defense-evasion
14    - attack.privilege-escalation
15    - attack.t1574
16    - cve.2021-1675
17    - cve.2021-34527
18logsource:
19    category: image_load
20    product: windows
21detection:
22    selection:
23        Image|endswith: '\spoolsv.exe'
24        ImageLoaded|contains:
25            - '\Windows\System32\spool\drivers\x64\3\'
26            - '\Windows\System32\spool\drivers\x64\4\'
27        ImageLoaded|endswith: '.dll'
28    condition: selection
29falsepositives:
30    - Loading of legitimate driver
31level: informational

References

• hhlxf/PrintNightmare

  

  Contribute to hhlxf/PrintNightmare development by creating an account on GitHub.

  
  Read More

• GitHub - ly4k/SpoolFool: Exploit for CVE-2022-21999 - Windows Print Spooler Elevation of Privilege Vulnerability (LPE)

  

  Exploit for CVE-2022-21999 - Windows Print Spooler Elevation of Privilege Vulnerability (LPE) - ly4k/SpoolFool

  
  Read More

Related rules

• Potential PrintNightmare Exploitation Attempt
• Abuse of Service Permissions to Hide Services Via Set-Service
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• Account Tampering - Suspicious Failed Logon Reasons
• Activity From Anonymous IP Address