Windows Spooler Service Suspicious Binary Load

 1title: Windows Spooler Service Suspicious Binary Load
 2id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14
 3status: test
 4description: Detect DLL Load from Spooler Service backup folder
 5references:
 6    - https://github.com/hhlxf/PrintNightmare
 7    - https://github.com/ly4k/SpoolFool
 8author: FPT.EagleEye, Thomas Patzke (improvements)
 9date: 2021/06/29
10modified: 2022/06/02
11tags:
12    - attack.persistence
13    - attack.defense_evasion
14    - attack.privilege_escalation
15    - attack.t1574
16    - cve.2021.1675
17    - cve.2021.34527
18logsource:
19    category: image_load
20    product: windows
21detection:
22    selection:
23        Image|endswith: '\spoolsv.exe'
24        ImageLoaded|contains:
25            - '\Windows\System32\spool\drivers\x64\3\'
26            - '\Windows\System32\spool\drivers\x64\4\'
27        ImageLoaded|endswith: '.dll'
28    condition: selection
29falsepositives:
30    - Loading of legitimate driver
31level: informational

References

• https://github.com/hhlxf/PrintNightmare

  
  Read More

• GitHub - ly4k/SpoolFool: Exploit for CVE-2022-21999 - Windows Print Spooler Elevation of Privilege Vulnerability (LPE)

  

  Exploit for CVE-2022-21999 - Windows Print Spooler Elevation of Privilege Vulnerability (LPE) - ly4k/SpoolFool

  
  Read More

Related rules

• Abuse of Service Permissions to Hide Services Via Set-Service
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• Account Tampering - Suspicious Failed Logon Reasons
• Application Using Device Code Authentication Flow
• Applications That Are Using ROPC Authentication Flow