heroui logo

Spoolsv Suspicious Loaded Modules

Splunk Security Content

View Source
Summary
This analytic rule detects suspicious behaviors associated with the Windows spooler service (spoolsv.exe), particularly focusing on the loading of DLLs during its operation. The detection mechanism utilizes Sysmon EventCode 7, which reports on processes loading images, to identify instances where spoolsv.exe loads multiple dynamic link libraries (DLLs) from the System32 spool driver directory. The rule is particularly geared towards identifying possible exploitation attempts of the PrintNightmare vulnerability (CVE-2021-34527), which allows for arbitrary code execution via the spooler service due to improper validation of privilege levels. When spoolsv.exe loads three or more DLLs from the designated directory, it generates an alert that suggests potentially malicious activity. If verified, this could lead to privilege escalation and unauthorized access within the system, making it crucial for monitoring endpoints affected by this vulnerability.
Categories
  • Endpoint
Data Sources
  • Pod
  • Process
  • File
  • Script
ATT&CK Techniques
  • T1547.012
  • T1547
Created: 2024-11-13