Detection rules › Splunk
Spoolsv Writing a DLL - Sysmon
The following analytic detects spoolsv.exe writing a .dll file, which is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 (PrintNightmare). This detection leverages Sysmon EventID 11 to monitor file creation events in the \spool\drivers\x64\ directory. This activity is significant because spoolsv.exe typically does not write DLL files, and such behavior could signify an ongoing attack. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the compromised system.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1547.012 Boot or Logon Autostart Execution: Print Processors |
| Privilege Escalation | T1547.012 Boot or Logon Autostart Execution: Print Processors |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: search
search EventID=11 file_name="*.dll" file_path="*\\spool\\drivers\\x64\\*" process_name="spoolsv.exe"
Stage 2: stats
stats BY action, dest, file_name, file_path, process_guid, process_id, user_id, vendor_product
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventID | eq |
|
file_name | eq |
|
file_path | eq |
|
process_name | eq |
|