Detection rules › Splunk
Spoolsv Suspicious Process Access
The following analytic detects suspicious process access by spoolsv.exe, potentially indicating exploitation of the PrintNightmare vulnerability (CVE-2021-34527). It leverages Sysmon EventCode 10 to identify when spoolsv.exe accesses critical system files or processes like rundll32.exe with elevated privileges. This activity is significant as it may signal an attempt to gain unauthorized privilege escalation on a vulnerable machine. If confirmed malicious, an attacker could achieve elevated privileges, leading to further system compromise, persistent access, or unauthorized control over the affected environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1068 Exploitation for Privilege Escalation |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 10 | ProcessAccess |
Stages and Predicates
Stage 1: search
search CallTrace="*\\Windows\\system32\\spool\\DRIVERS\\x64\\*" EventCode=10 GrantedAccess=0x1fffff SourceImage="*\\spoolsv.exe" TargetImage IN ("*\\rundll32.exe", "*\\spoolsv.exe")
Stage 2: stats
stats BY CallTrace, EventID, GrantedAccess, Guid, Opcode, ProcessID, SecurityID, SourceImage, SourceProcessGUID, SourceProcessId, TargetImage, TargetProcessGUID, TargetProcessId, UserID, dest, granted_access, parent_process_exec, parent_process_guid, parent_process_id, parent_process_name, parent_process_path, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CallTrace | eq |
|
EventCode | eq |
|
GrantedAccess | eq |
|
SourceImage | eq |
|
TargetImage | in |
|