[Rule Tuning] Suspicious PrintSpooler Service Executable File Creation - alerts about a Windows dll

[richlv]

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

Rule "Suspicious PrintSpooler Service Executable File Creation" alerts about tsprint.dll, which is signed by "Microsoft Windows".
Presumably that is a false positive in the context of this rule. Reviewing the associated CVEs, they cover deployment of rogue files.

Another potential improvement - including DLL file signature detail in the alert fields. This does not seem to be available currently.

file.path C:\Windows\system32\spool\DRIVERS\x64\3\New\tsprint.dll
file.name tsprint.dll

Example Data

No response

[w0rk3r]

@richlv I've pushed this PR to fix it: #4976. TLDR: This is covered by one of the DSL exceptions we have on that rule, but a bug in the repo tooling changed the exception, so I reverted the changes.

[richlv]

Thanks, sounds great :)
What about the DLL signature info - can this be included in alert data?