Spoolsv spawning Rundll32

Rule added on 20th February, 2024

Prerequisite:

The rule requires sysmon /auditing to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule identifies instances where the legitimate Windows process "spoolsv.exe" (responsible for printing services) spawns the "rundll32.exe" process.

Data source

Windows: network traffic, process, kernel, file, user account

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0002 - Execution, TA0003 - Persistence, TA0004 - Privilege Escalation, TA0005 - Defense Evasion

Techniques: T1204 - User Execution, T1047 - Windows Management Instrumentation, T1547 - Boot or Logon Autostart Execution, T1548 - Abuse Elevation Control Mechanism, T1036 - Masquerading

Sub-techniques: T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, T1548.002 - Bypass User Account Control,

Criteria:

The rule focuses on two key criteria:

  • Process name ends with rundll32.exe: This identifies instances where the process name ends with "rundll32.exe". This is because rundll32.exe is often used to execute arbitrary code, and malicious actors might exploit it to run malicious DLLs.
  • Parent Process name ends with one of the following:
    • Windows\System32\spoolsv.exe
    • Windows\SysWow64\spoolsv.exe
    • WINNT\system32\spoolsv.exe

When to enable this rule:

Enable this rule when the user wants to detect suspicious activity potentially indicating lateral movement or privilege escalation. Spawning rundll32.exe by spoolsv.exe can be a technique used by malware to achieve these goals.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

  • NIST Cybersecurity Framework (CSF): DE.AE (Detection Processes), specifically DE.AE-1 for anomaly detection.
  • CIS Control:8 (Malware Defense) to prevent execution of malicious code patterns.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis:Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.