heroui logo

Spoolsv Spawning Rundll32

Splunk Security Content

View Source
Summary
The rule detects the suspicious spawning of `rundll32.exe` by `spoolsv.exe` without any command-line arguments, which is considered unusual behavior indicative of potential exploitation attempts related to the PrintNightmare vulnerability (CVE-2021-34527). Typically, `spoolsv.exe` is not known for spawning other processes, making any such activity a red flag that warrants investigation as it could enable attackers to execute arbitrary code, escalate privileges, or maintain persistence on the system. The detection uses Endpoint Detection and Response (EDR) telemetry to analyze process creation events, specifically targeting scenarios where `spoolsv.exe` acts as the parent process.
Categories
  • Endpoint
Data Sources
  • Process
  • Windows Registry
  • Application Log
ATT&CK Techniques
  • T1547.012
  • T1547
Created: 2024-12-10