
Summary
This detection rule identifies potentially malicious activities associated with the Print Spooler service in Windows systems, specifically targeting privilege escalation via the creation of unauthorized DLL files. The rule was designed in response to known vulnerabilities, including CVE-2020-1048, CVE-2020-1337, and CVE-2020-1300. It captures file creation events where the executable 'spoolsv.exe' generates a DLL file, which is indicative of an attempt to exploit these vulnerabilities. The rule applies to data collected from various sources, including Winlogbeat, Endpoint logs, Sysmon event logs, and cloud solutions like Microsoft 365 Defender and SentinelOne. Steps for investigation include verifying the legitimacy of the DLL files created, reviewing file paths against known malicious patterns, and ensuring that systems are updated against the aforementioned vulnerabilities to mitigate risks. Furthermore, false positive scenarios and remediation steps are detailed to assist security teams in responding effectively to alerts.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
- File
- Process
- Application Log
- Cloud Service
- User Account
ATT&CK Techniques
- T1068
Created: 2020-08-14