
Summary
This detection rule identifies suspicious dynamic link library (DLL) loads by the Windows Spooler service. It specifically looks for DLLs that are loaded from the backup folders of the Spooler service, a potential indicator of malicious activity related to the PrintNightmare vulnerability or other exploits targeting the Spooler service. The rule operates by monitoring events where the image being loaded ends with 'spoolsv.exe', while the loaded image path contains specific folders linked to the Spooler service drivers, ensuring that any loaded file must also have a '.dll' extension. This could help network administrators in flagging unusual activity within their environment that could lead to privilege escalation or defense evasion attempts by malicious actors. False positives may occur due to legitimate driver loading, thus context and further investigation are critical to validate alerts.
Categories
- Windows
- Endpoint
Data Sources
- Process
- Image
Created: 2021-06-29