Spoolsv.exe is the process associated with the print spooler service in Windows and typically runs as SYSTEM. Child processes of spoolsv.exe are associated with a POC privilege-escalation exploit associated with CVE-2018-8440. You might want to look for these processes when doing the following:
Prerequisites
Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Endpoint data model. For information on installing and using the CIM, see the Common Information Model documentation.
Example
The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source.
You want to investigate privilege escalation attempts that leverage the spoolsv.exe as described in CVE-2018-8440.
- Ensure that your deployment is ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.
- Run the following search:
|tstats summariesonly=true allow_old_summaries=true count values(Processes.process_name) AS process_name values(Processes.process) AS process min(_time) AS firstTime max(_time) AS lastTime from datamodel=Endpoint.Processes WHERE Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe BY Processes.dest Processes.parent_process Processes.user
|rename "Processes.*" as "*"
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime)
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime) - Update the children_of_spoolsv_filter macro to filter out legitimate child processes spawned by spoolsv.exe.
Search Explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search |
Explanation |
|tstats summariesonly=true allow_old_summaries=true count values(Processes.process_name) AS process_name values(Processes.process) AS process min(_time) AS firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe BY Processes.dest Processes.parent_process Processes.user |
Query the Endpoint.Process data model object for any process that has a parent process named spoolsv.exe but it is not regsvr32.exe, which is what commonly launches spoolsv.exe. |
|rename "Processes.*" as "*" |
Rename the data model object for better readability. |
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime) |
Convert these times into readable strings. |
Result
The search returns the user and the parent process. Any process that was spawned by spoolsv.exe other than regsvr32.exe is likely anomalous and should be investigated further. Additionally, if the user is not likely to be printing or is unknown, you should investigate. You can create an alert for this situation.
For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub.
Comments
0 comments
Please sign in to leave a comment.