splApache-2.0from splunk/security_content
Spoolsv Suspicious Loaded Modules
The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk.
Quality
43
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/spoolsv_suspicious_loaded_modules.yml
`sysmon` EventCode=7 Image ="*\\spoolsv.exe" ImageLoaded="*\\Windows\\System32\\spool\\drivers\\x64\\*" ImageLoaded = "*.dll" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImageLoaded values(loaded_file) as loaded_file values(loaded_file_path) as loaded_file_path values(original_file_name) as original_file_name values(process_exec) as process_exec values(process_guid) as process_guid values(process_hash) as process_hash values(process_name) as process_name values(service_dll_signature_exists) as service_dll_signature_exists values(service_dll_signature_verified) as service_dll_signature_verified values(signature) as signature values(signature_id) as signature_id values(user_id) as user_id values(vendor_product) as vendor_product values(Image) as Image count min(_time) as firstTime max(_time) as lastTime by process_path dest process_id | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`