Techniques
Sample rules
Spoolsv Spawning Rundll32
- source: splunk
- technicques:
- T1547.012
- T1547
Description
The following analytic identifies a suspicious child process, rundll32.exe
, with no command-line arguments being spawned from spoolsv.exe
. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for spoolsv.exe
to spawn a process. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `spoolsv_spawning_rundll32_filter`