← Back to Explore
sigmahighHunting
Suspicious Spool Service Child Process
Detects suspicious print spool service (spoolsv.exe) child processes.
Detection Query
spoolsv:
ParentImage|endswith: \spoolsv.exe
IntegrityLevel:
- System
- S-1-16-16384
suspicious_unrestricted:
Image|endswith:
- \gpupdate.exe
- \whoami.exe
- \nltest.exe
- \taskkill.exe
- \wmic.exe
- \taskmgr.exe
- \sc.exe
- \findstr.exe
- \curl.exe
- \wget.exe
- \certutil.exe
- \bitsadmin.exe
- \accesschk.exe
- \wevtutil.exe
- \bcdedit.exe
- \fsutil.exe
- \cipher.exe
- \schtasks.exe
- \write.exe
- \wuauclt.exe
- \systeminfo.exe
- \reg.exe
- \query.exe
suspicious_net:
Image|endswith:
- \net.exe
- \net1.exe
suspicious_net_filter:
CommandLine|contains: start
suspicious_cmd:
Image|endswith: \cmd.exe
suspicious_cmd_filter:
CommandLine|contains:
- .spl
- route add
- program files
suspicious_netsh:
Image|endswith: \netsh.exe
suspicious_netsh_filter:
CommandLine|contains:
- add portopening
- rule name
suspicious_powershell:
Image|endswith:
- \powershell.exe
- \pwsh.exe
suspicious_powershell_filter:
CommandLine|contains: .spl
suspicious_rundll32_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
suspicious_rundll32_cli:
CommandLine|endswith: rundll32.exe
condition: spoolsv and ( suspicious_unrestricted or (suspicious_net and not
suspicious_net_filter) or (suspicious_cmd and not suspicious_cmd_filter) or
(suspicious_netsh and not suspicious_netsh_filter) or (suspicious_powershell
and not suspicious_powershell_filter) or all of suspicious_rundll32_* )
Author
Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)
Created
2021-07-11
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.executionattack.t1203attack.privilege-escalationattack.t1068
Raw Content
title: Suspicious Spool Service Child Process
id: dcdbc940-0bff-46b2-95f3-2d73f848e33b
status: test
description: Detects suspicious print spool service (spoolsv.exe) child processes.
references:
- https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md
author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)
date: 2021-07-11
modified: 2024-12-01
tags:
- attack.execution
- attack.t1203
- attack.privilege-escalation
- attack.t1068
logsource:
category: process_creation
product: windows
detection:
spoolsv:
ParentImage|endswith: '\spoolsv.exe'
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
suspicious_unrestricted:
Image|endswith:
- '\gpupdate.exe'
- '\whoami.exe'
- '\nltest.exe'
- '\taskkill.exe'
- '\wmic.exe'
- '\taskmgr.exe'
- '\sc.exe'
- '\findstr.exe'
- '\curl.exe'
- '\wget.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\accesschk.exe'
- '\wevtutil.exe'
- '\bcdedit.exe'
- '\fsutil.exe'
- '\cipher.exe'
- '\schtasks.exe'
- '\write.exe'
- '\wuauclt.exe'
- '\systeminfo.exe'
- '\reg.exe'
- '\query.exe'
suspicious_net:
Image|endswith:
- '\net.exe'
- '\net1.exe'
suspicious_net_filter:
CommandLine|contains: 'start'
suspicious_cmd:
Image|endswith: '\cmd.exe'
suspicious_cmd_filter:
CommandLine|contains:
- '.spl'
- 'route add'
- 'program files'
suspicious_netsh:
Image|endswith: '\netsh.exe'
suspicious_netsh_filter:
CommandLine|contains:
- 'add portopening'
- 'rule name'
suspicious_powershell:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
suspicious_powershell_filter:
CommandLine|contains: '.spl'
suspicious_rundll32_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
suspicious_rundll32_cli:
CommandLine|endswith: 'rundll32.exe'
condition: spoolsv and ( suspicious_unrestricted or (suspicious_net and not suspicious_net_filter) or (suspicious_cmd and not suspicious_cmd_filter) or (suspicious_netsh and not suspicious_netsh_filter) or (suspicious_powershell and not suspicious_powershell_filter) or all of suspicious_rundll32_* )
falsepositives:
- Unknown
level: high