Unusual Print Spooler Child Process

edit

Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation

Version: 100 (version history)

Added (Elastic Stack release): 7.14.0

Last modified (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information.

Investigation guide

edit

Rule query

edit
process where event.type == "start" and process.parent.name :
"spoolsv.exe" and (?process.Ext.token.integrity_level_name : "System"
or ?winlog.event_data.IntegrityLevel : "System") and /* exclusions
for FP control below */ not process.name : ("splwow64.exe",
"PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe",
"route.exe", "WerFault.exe") and not process.command_line :
"*\\WINDOWS\\system32\\spool\\DRIVERS*" and not (process.name :
"net.exe" and process.command_line : ("*stop*", "*start*")) and not
(process.name : ("cmd.exe", "powershell.exe") and process.command_line
: ("*.spl*", "*\\program files*", "*route add*")) and not
(process.name : "netsh.exe" and process.command_line : ("*add
portopening*", "*rule name*")) and not (process.name : "regsvr32.exe"
and process.command_line : "*PrintConfig.dll*")

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 100 (8.5.0 release)
  • Formatting only
Version 8 (8.4.0 release)
  • Formatting only
Version 6 (8.3.0 release)
  • Formatting only
Version 5 (8.2.0 release)
  • Updated query, changed from:

    process where event.type == "start" and process.parent.name :
    "spoolsv.exe" and (process.Ext.token.integrity_level_name : "System"
    or winlog.event_data.IntegrityLevel : "System") and /* exclusions
    for FP control below */ not process.name : ("splwow64.exe",
    "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe",
    "route.exe", "WerFault.exe") and not process.command_line :
    "*\\WINDOWS\\system32\\spool\\DRIVERS*" and not (process.name :
    "net.exe" and process.command_line : ("*stop*", "*start*")) and not
    (process.name : ("cmd.exe", "powershell.exe") and process.command_line
    : ("*.spl*", "*\\program files*", "*route add*")) and not
    (process.name : "netsh.exe" and process.command_line : ("*add
    portopening*", "*rule name*")) and not (process.name : "regsvr32.exe"
    and process.command_line : "*PrintConfig.dll*")
Version 3 (8.1.0 release)
  • Updated query, changed from:

    process where event.type == "start" and process.parent.name :
    "spoolsv.exe" and user.id : "S-1-5-18" and /* exclusions for FP
    control below */ not process.name : ("splwow64.exe",
    "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe",
    "route.exe", "WerFault.exe") and not process.command_line :
    "*\\WINDOWS\\system32\\spool\\DRIVERS*" and not (process.name :
    "net.exe" and process.command_line : ("*stop*", "*start*")) and not
    (process.name : ("cmd.exe", "powershell.exe") and process.command_line
    : ("*.spl*", "*\\program files*", "*route add*")) and not
    (process.name : "netsh.exe" and process.command_line : ("*add
    portopening*", "*rule name*")) and not (process.name : "regsvr32.exe"
    and process.command_line : "*PrintConfig.dll*")