Unusual Print Spooler Child Process

edit

Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation

Version: 2

Added (Elastic Stack release): 7.14.0

Last modified (Elastic Stack release): 7.14.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information.

Rule query

edit
process where event.type == "start" and process.parent.name :
"spoolsv.exe" and user.id : "S-1-5-18" and /* exclusions for FP
control below */ not process.name : ("splwow64.exe",
"PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe",
"route.exe", "WerFault.exe") and not process.command_line :
"*\\WINDOWS\\system32\\spool\\DRIVERS*" and not (process.name :
"net.exe" and process.command_line : ("*stop*", "*start*")) and not
(process.name : ("cmd.exe", "powershell.exe") and process.command_line
: ("*.spl*", "*\\program files*", "*route add*")) and not
(process.name : "netsh.exe" and process.command_line : ("*add
portopening*", "*rule name*")) and not (process.name : "regsvr32.exe"
and process.command_line : "*PrintConfig.dll*")

Threat mapping

edit

Framework: MITRE ATT&CKTM