Techniques
Sample rules
Windows Spooler Service Suspicious Binary Load
- source: sigma
- technicques:
- t1574
Description
Detect DLL Load from Spooler Service backup folder
Detection logic
condition: selection
selection:
ImageLoaded|contains:
- \Windows\System32\spool\drivers\x64\3\
- \Windows\System32\spool\drivers\x64\4\
ImageLoaded|endswith: .dll
Image|endswith: \spoolsv.exe