SigmaHQ/rules/windows/process_creation/win_susp_spoolsv_child_processes.yml

title: Suspicious Spool Service Child Process
id: dcdbc940-0bff-46b2-95f3-2d73f848e33b
status: stable
description: Detects suspicious print spool service (spoolsv.exe) child processes.
references:
    - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md
tags:
    - attack.execution
    - attack.t1203
    - attack.privilege_escalation
    - attack.t1068
author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)
date: 2021/07/11
logsource:
    category: process_creation
    product: windows
detection:
    spoolsv:
        ParentImage|endswith: \\spoolsv.exe
        IntegrityLevel: System
    suspicious_unrestricted:
        Image|endswith:
            - \gpupdate.exe
            - \whoami.exe
            - \nltest.exe
            - \taskkill.exe
            - \wmic.exe
            - \taskmgr.exe
            - \sc.exe
            - \findstr.exe
            - \curl.exe
            - \wget.exe
            - \certutil.exe
            - \bitsadmin.exe
            - \accesschk.exe
            - \wevtutil.exe
            - \bcdedit.exe
            - \fsutil.exe
            - \cipher.exe
            - \schtasks.exe
            - \write.exe
            - \wuauclt.exe
    suspicious_net:
        Image|endswith: \net.exe
    suspicious_net_filter:
        CommandLine|contains: start
    suspicious_cmd:
        Image|endswith: \cmd.exe
    suspicious_cmd_filter:
        CommandLine|contains:
            - .spl
            - route add
            - program files
    suspicious_netsh:
        Image|endswith: \netsh.exe
    suspicious_netsh_filter:
        CommandLine|contains:
            - "add portopening"
            - "rule name"
    suspicious_powershell:
        Image|endswith: \powershell.exe
    suspicious_powershell_filter:
        CommandLine|contains: .spl
    suspicious_rundll32:
        Image|endswith: \rundll32.exe
        CommandLine|endswith: rundll32.exe
    condition: spoolsv and (
        suspicious_unrestricted
        or (suspicious_net and not suspicious_net_filter)
        or (suspicious_cmd and not suspicious_cmd_filter)
        or (suspicious_netsh and not suspicious_netsh_filter)
        or (suspicious_powershell and not suspicious_powershell_filter)
        or suspicious_rundll32
      )
fields:
    - Image
    - CommandLine
falsepositives:
    - None known
level: high