kqlElastic-2.0from elastic/detection-rules
Deprecated - Suspicious PrintSpooler Service Executable File Creation
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
event.category : "file" and host.os.type : "windows" and event.type : "creation" and
process.name : "spoolsv.exe" and file.extension : "dll"