Suspicious Parent Spawning Spoolsv

Rule added on 20th February, 2024

In this page

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This correlation rule is designed to detect potential threats by monitoring the processes that spawn spoolsv.exe (the Print Spooler service). Spoolsv.exe manages print jobs. If a suspicious process spawns spoolsv.exe, it might indicate an attempt to exploit vulnerabilities in the spooler service or inject malicious code into the printing process.

Data source:

Windows: User account, process, file, kernel

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0002 - Execution, TA0005 - Defense Evasion,

Techniques: T1059 - Command and Scripting Interpreter, T1036 - Masquerading,

Sub-techniques: T1059.001 - PowerShell, T1036.004 - Masquerade Task or Service

Criteria:

Suspicious parent spawning spoolsv.exe:

  • This rule targets processes ending with "spoolsv.exe" (including paths).
  • It considers the spawn suspicious if the parent is not one of the legitimate services.exe locations.

When to enable this rule:

Enable this rule when the user wants to detect potential printer spooler service abuse or privilege escalation through suspicious parent spawning of spoolsv.

Compliance mapping (NIST, CIS):

  • NIST CSF: DE.AE (Detection Processes) for identifying irregular activities related to the print spooler service.
  • CIS Control: 8 (Malware Defense) to guard against malicious use of the spooler service for executing arbitrary code.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.