EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Spoolsv Suspicious Loaded Modules

The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk.

MITRE ATT&CK

T1547.012
persistenceprivilege-escalation

Detection Query

`sysmon` EventCode=7 Image ="*\\spoolsv.exe" ImageLoaded="*\\Windows\\System32\\spool\\drivers\\x64\\*" ImageLoaded = "*.dll" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImageLoaded values(loaded_file) as loaded_file values(loaded_file_path) as loaded_file_path values(original_file_name) as original_file_name values(process_exec) as process_exec values(process_guid) as process_guid values(process_hash) as process_hash values(process_name) as process_name values(service_dll_signature_exists) as service_dll_signature_exists values(service_dll_signature_verified) as service_dll_signature_verified values(signature) as signature values(signature_id) as signature_id values(user_id) as user_id values(vendor_product) as vendor_product values(Image) as Image count min(_time) as firstTime max(_time) as lastTime by process_path dest process_id | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`

Author

Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk

Created

2026-03-10

Data Sources

Sysmon EventID 7

References

Tags

PrintNightmare CVE-2021-34527Black Basta Ransomware
Raw Content
name: Spoolsv Suspicious Loaded Modules
id: a5e451f8-da81-11eb-b245-acde48001122
version: 11
date: '2026-03-10'
author: Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk
status: production
type: TTP
description: The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk.
data_source:
    - Sysmon EventID 7
search: '`sysmon` EventCode=7 Image ="*\\spoolsv.exe" ImageLoaded="*\\Windows\\System32\\spool\\drivers\\x64\\*" ImageLoaded = "*.dll" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImageLoaded values(loaded_file) as loaded_file values(loaded_file_path) as loaded_file_path values(original_file_name) as original_file_name values(process_exec) as process_exec values(process_guid) as process_guid values(process_hash) as process_hash values(process_name) as process_name values(service_dll_signature_exists) as service_dll_signature_exists values(service_dll_signature_verified) as service_dll_signature_verified values(signature) as signature values(signature_id) as signature_id values(user_id) as user_id values(vendor_product) as vendor_product values(Image) as Image count min(_time) as firstTime max(_time) as lastTime by process_path dest process_id | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
known_false_positives: No false positives have been identified at this time.
references:
    - https://raw.githubusercontent.com/hieuttmmo/sigma/dceb13fe3f1821b119ae495b41e24438bd97e3d0/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: $Image$ with process id $process_id$ has loaded a driver from $ImageLoaded$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - PrintNightmare CVE-2021-34527
        - Black Basta Ransomware
    asset_type: Endpoint
    cve:
        - CVE-2021-34527
    mitre_attack_id:
        - T1547.012
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog