detection.wiki

Detection rules › Sigma

Suspicious Spool Service Child Process

Severity
high
Author
Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)
Source
upstream

Detects suspicious print spool service (spoolsv.exe) child processes.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1203 Exploitation for Client Execution
Privilege EscalationT1068 Exploitation for Privilege Escalation

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: spoolsv

IntegrityLevel: [S-1-16-16384, System]
ParentImage|endswith: '\spoolsv.exe'

Stage 2: suspicious_unrestricted

or:
Image|endswith: '\accesschk.exe'
Image|endswith: '\bcdedit.exe'
Image|endswith: '\bitsadmin.exe'
Image|endswith: '\certutil.exe'
Image|endswith: '\cipher.exe'
Image|endswith: '\curl.exe'
Image|endswith: '\findstr.exe'
Image|endswith: '\fsutil.exe'
Image|endswith: '\gpupdate.exe'
Image|endswith: '\nltest.exe'
Image|endswith: '\query.exe'
Image|endswith: '\reg.exe'
Image|endswith: '\sc.exe'
Image|endswith: '\schtasks.exe'
Image|endswith: '\systeminfo.exe'
Image|endswith: '\taskkill.exe'
Image|endswith: '\taskmgr.exe'
Image|endswith: '\wevtutil.exe'
Image|endswith: '\wget.exe'
Image|endswith: '\whoami.exe'
Image|endswith: '\wmic.exe'
Image|endswith: '\write.exe'
Image|endswith: '\wuauclt.exe'

Stage 3: suspicious_net

or:
Image|endswith: '\net.exe'
Image|endswith: '\net1.exe'

Stage 4: not suspicious_net_filter

CommandLine|contains: start

Stage 5: suspicious_cmd

Image|endswith: '\cmd.exe'

Stage 6: not suspicious_cmd_filter

or:
CommandLine|contains: .spl
CommandLine|contains: 'program files'
CommandLine|contains: 'route add'

Stage 7: suspicious_netsh

Image|endswith: '\netsh.exe'

Stage 8: not suspicious_netsh_filter

or:
CommandLine|contains: 'add portopening'
CommandLine|contains: 'rule name'

Stage 9: suspicious_powershell

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'

Stage 10: not suspicious_powershell_filter

CommandLine|contains: .spl

Stage 11: all of suspicious_rundll32_img

or:
Image|endswith: '\rundll32.exe'
OriginalFileName: RUNDLL32.EXE

Stage 12: all of suspicious_rundll32_cli

CommandLine|endswith: rundll32.exe

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLineends_with
  • rundll32.exe corpus 2 (sigma 2)
CommandLinematch
  • .spl
  • add portopening
  • program files
  • route add
  • rule name
  • start corpus 6 (sigma 6)
Imageends_with
  • \accesschk.exe corpus 3 (sigma 3)
  • \bcdedit.exe corpus 4 (sigma 4)
  • \bitsadmin.exe corpus 23 (sigma 23)
  • \certutil.exe corpus 34 (sigma 34)
  • \cipher.exe corpus 2 (sigma 2)
  • \cmd.exe corpus 92 (sigma 92)
  • \curl.exe corpus 19 (sigma 19)
  • \findstr.exe corpus 11 (sigma 11)
  • \fsutil.exe corpus 4 (sigma 4)
  • \gpupdate.exe corpus 2 (sigma 2)
  • \net.exe corpus 27 (sigma 27)
  • \net1.exe corpus 25 (sigma 25)
  • \netsh.exe corpus 16 (sigma 16)
  • \nltest.exe corpus 9 (sigma 9)
  • \powershell.exe corpus 143 (sigma 143)
  • \pwsh.exe corpus 140 (sigma 140)
  • \query.exe corpus 5 (sigma 5)
  • \reg.exe corpus 46 (sigma 46)
  • \rundll32.exe corpus 76 (sigma 76)
  • \sc.exe corpus 17 (sigma 17)
  • \schtasks.exe corpus 45 (sigma 45)
  • \systeminfo.exe corpus 9 (sigma 9)
  • \taskkill.exe corpus 2 (sigma 2)
  • \taskmgr.exe corpus 2 (sigma 2)
  • \wevtutil.exe corpus 6 (sigma 6)
  • \wget.exe corpus 6 (sigma 6)
  • \whoami.exe corpus 18 (sigma 18)
  • \wmic.exe corpus 37 (sigma 37)
  • \write.exe
  • \wuauclt.exe corpus 2 (sigma 2)
IntegrityLeveleq
  • S-1-16-16384 corpus 21 (sigma 21)
  • System corpus 21 (sigma 21)
OriginalFileNameeq
  • RUNDLL32.EXE corpus 28 (sigma 25, splunk 3)
ParentImageends_with
  • \spoolsv.exe corpus 4 (sigma 4)