Skip to main content

Child processes of Spoolsv.exe

  • Updated

Spoolsv.exe is the process associated with the print spooler service in Windows and typically runs as SYSTEM. Child processes of spoolsv.exe are associated with a POC privilege-escalation exploit associated with CVE-2018-8440. You might want to look for these processes when doing the following:

Prerequisites 

Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Endpoint data model. For information on installing and using the CIM, see the Common Information Model documentation.

Example

The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source. 

You want to investigate privilege escalation attempts that leverage the spoolsv.exe as described in CVE-2018-8440. 

  1. Ensure that your deployment is ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.
  2. Run the following search:  
    |tstats summariesonly=true allow_old_summaries=true count values(Processes.process_name) AS process_name values(Processes.process) AS process min(_time) AS firstTime max(_time) AS lastTime from datamodel=Endpoint.Processes WHERE Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe BY Processes.dest Processes.parent_process Processes.user 
    |rename "Processes.*" as "*" 
    |convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime)
    |convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime) 
  3. Update the children_of_spoolsv_filter macro to filter out legitimate child processes spawned by spoolsv.exe. 

Search Explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search

Explanation

|tstats summariesonly=true allow_old_summaries=true count values(Processes.process_name) AS process_name values(Processes.process) AS process min(_time) AS firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe BY Processes.dest Processes.parent_process Processes.user 

Query the Endpoint.Process data model object for any process that has a parent process named spoolsv.exe but it is not regsvr32.exe, which is what commonly launches spoolsv.exe. 

|rename "Processes.*" as "*" 

Rename the data model object for better readability.

|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime)
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)

Convert these times into readable strings.

 

Result

The search returns the user and the parent process. Any process that was spawned by spoolsv.exe other than regsvr32.exe is likely anomalous and should be investigated further. Additionally, if the user is not likely to be printing or is unknown, you should investigate. You can create an alert for this situation. 

For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub.

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.