Suspicious PrintSpooler Service Executable File Creation

Last updated 5 months ago on 2025-03-20

Created 5 years ago on 2020-08-14

About

Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Privilege EscalationData Source: Elastic EndgameUse Case: VulnerabilityData Source: Elastic DefendData Source: SysmonData Source: Microsoft Defender for EndpointData Source: SentinelOneLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

↳ Exploitation for Privilege Escalation (T1068)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

New Terms Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

winlogbeat-*logs-endpoint.events.file-*logs-windows.sysmon_operational-*endgame-*logs-m365_defender.event-*logs-sentinel_one_cloud_funnel.*

Related Integrations

endpoint(opens in a new tab or window)

windows(opens in a new tab or window)

m365_defender(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

Query

event.category : "file" and host.os.type : "windows" and event.type : "creation" and
  process.name : "spoolsv.exe" and file.extension : "dll"

Install detection rules in Elastic Security

Detect Suspicious PrintSpooler Service Executable File Creation in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).