hayabusa/rules/Sigma/win_susp_spoolsv_child_processes.yml

title: Suspicious Spool Service Child Process
author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)
date: 2021/07/11
description: Detects suspicious print spool service (spoolsv.exe) child processes.
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_10:
        Image: '*\sc.exe'
    SELECTION_11:
        Image: '*\findstr.exe'
    SELECTION_12:
        Image: '*\curl.exe'
    SELECTION_13:
        Image: '*\wget.exe'
    SELECTION_14:
        Image: '*\certutil.exe'
    SELECTION_15:
        Image: '*\bitsadmin.exe'
    SELECTION_16:
        Image: '*\accesschk.exe'
    SELECTION_17:
        Image: '*\wevtutil.exe'
    SELECTION_18:
        Image: '*\bcdedit.exe'
    SELECTION_19:
        Image: '*\fsutil.exe'
    SELECTION_2:
        ParentImage: '*\\spoolsv.exe'
    SELECTION_20:
        Image: '*\cipher.exe'
    SELECTION_21:
        Image: '*\schtasks.exe'
    SELECTION_22:
        Image: '*\write.exe'
    SELECTION_23:
        Image: '*\wuauclt.exe'
    SELECTION_24:
        EventID: 1
    SELECTION_25:
        Image: '*\net.exe'
    SELECTION_26:
        CommandLine: '*start*'
    SELECTION_27:
        EventID: 1
    SELECTION_28:
        Image: '*\cmd.exe'
    SELECTION_29:
        CommandLine: '*.spl*'
    SELECTION_3:
        IntegrityLevel: System
    SELECTION_30:
        CommandLine: '*route add*'
    SELECTION_31:
        CommandLine: '*program files*'
    SELECTION_32:
        EventID: 1
    SELECTION_33:
        Image: '*\netsh.exe'
    SELECTION_34:
        CommandLine: '*add portopening*'
    SELECTION_35:
        CommandLine: '*rule name*'
    SELECTION_36:
        EventID: 1
    SELECTION_37:
        Image: '*\powershell.exe'
    SELECTION_38:
        CommandLine: '*.spl*'
    SELECTION_39:
        Image: '*\rundll32.exe'
    SELECTION_4:
        Image: '*\gpupdate.exe'
    SELECTION_40:
        CommandLine: '*rundll32.exe'
    SELECTION_5:
        Image: '*\whoami.exe'
    SELECTION_6:
        Image: '*\nltest.exe'
    SELECTION_7:
        Image: '*\taskkill.exe'
    SELECTION_8:
        Image: '*\wmic.exe'
    SELECTION_9:
        Image: '*\taskmgr.exe'
    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and ((((((SELECTION_4
        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
        or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23) or (SELECTION_24
        and SELECTION_25 and  not (SELECTION_26))) or (SELECTION_27 and SELECTION_28
        and  not ((SELECTION_29 or SELECTION_30 or SELECTION_31)))) or (SELECTION_32
        and SELECTION_33 and  not ((SELECTION_34 or SELECTION_35)))) or (SELECTION_36
        and SELECTION_37 and  not (SELECTION_38))) or (SELECTION_39 and SELECTION_40)))
falsepositives:
- None known
fields:
- Image
- CommandLine
id: dcdbc940-0bff-46b2-95f3-2d73f848e33b
level: high
logsource:
    category: process_creation
    product: windows
references:
- https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md
status: stable
tags:
- attack.execution
- attack.t1203
- attack.privilege_escalation
- attack.t1068
yml_filename: win_susp_spoolsv_child_processes.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation