Spoolsv.exe is the process associated with the print spooler service in Windows and typically runs as SYSTEM. Child processes of spoolsv.exe are associated with a POC privilege-escalation exploit associated with CVE-2018-8440. You might want to look for these processes when doing the following:
Prerequisites
Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Endpoint data model. For information on installing and using the CIM, see the Common Information Model documentation.
Example
The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source.
You want to investigate privilege escalation attempts that leverage the spoolsv.exe as described in CVE-2018-8440.
- Ensure that your deployment is ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.
- Run the following search:
|tstats `security_content_summariesonly` count values(Processes.process_name) AS process_name values(Processes.process) AS process min(_time) AS firstTime max(_time) AS lastTime from datamodel=Endpoint.Processes WHERE Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe BY Processes.dest Processes.parent_process Processes.user
|`drop_dm_object_name(Processes)`
|`security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
|`children_of_spoolsv_filter` - Update the children_of_spoolsv_filter macro to filter out legitimate child processes spawned by spoolsv.exe.
Search Explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
|tstats `security_content_summariesonly` count values(Processes.process_name) AS process_name values(Processes.process) AS process min(_time) AS firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe BY Processes.dest Processes.parent_process Processes.user |
Query the Endpoint.Process data model object for any process that has a parent process named spoolsv.exe but it is not regsvr32.exe, which is what commonly launches spoolsv.exe. Note: The punctuation surrounding a Splunk macro is always a back tick (`), not a single quote ('). |
|
|`drop_dm_object_name(Processes)` |
Run a macro to rename the data model object for better readability. |
|
|`security_content_ctime(firstTime)` |
Run a macro to convert firstTime from epoch time to a readable string. |
|
|`security_content_ctime(lastTime)` |
Run a macro to convert lastTime from epoch time to a readable string. |
|
|`children_of_spoolsv_filter` |
Run this macro to speed up the search. |
Result
The search returns the user and the parent process. Any process that was spawned by spoolsv.exe other than regsvr32.exe is likely anomalous and should be investigated further. Additionally, if the user is not likely to be printing or is unknown, you should investigate. You can create an alert for this situation.
Comments
0 comments
Please sign in to leave a comment.