← Back to Explore
sigmahighHunting
Suspicious NTLM Authentication on the Printer Spooler Service
Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
Detection Query
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
selection_cli:
CommandLine|contains|all:
- C:\windows\system32\davclnt.dll,DavSetCookie
- http
CommandLine|contains:
- spoolss
- srvsvc
- /print/pipe/
condition: all of selection_*
Author
Elastic (idea), Tobias Michalski (Nextron Systems)
Created
2022-05-04
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.credential-accessattack.t1212
Raw Content
title: Suspicious NTLM Authentication on the Printer Spooler Service
id: bb76d96b-821c-47cf-944b-7ce377864492
status: test
description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
references:
- https://twitter.com/med0x2e/status/1520402518685200384
- https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
author: Elastic (idea), Tobias Michalski (Nextron Systems)
date: 2022-05-04
modified: 2023-02-09
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.t1212
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'C:\windows\system32\davclnt.dll,DavSetCookie'
- 'http'
CommandLine|contains:
- 'spoolss'
- 'srvsvc'
- '/print/pipe/'
condition: all of selection_*
falsepositives:
- Unknown
level: high