/
child_processes_of_spoolsv_exe.yml
69 lines (69 loc) · 2.58 KB
/
child_processes_of_spoolsv_exe.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: Child Processes of Spoolsv exe
id: aa0c4aeb-5b18-41c4-8c07-f1442d7599df
version: 3
date: '2023-04-14'
author: Rico Valdez, Splunk
status: experimental
type: TTP
description: This search looks for child processes of spoolsv.exe. This activity is
associated with a POC privilege-escalation exploit associated with CVE-2018-8440.
Spoolsv.exe is the process associated with the Print Spooler service in Windows
and typically runs as SYSTEM.
data_source:
- Sysmon EventID 1
search: '| tstats `security_content_summariesonly` count values(Processes.process_name)
as process_name values(Processes.process) as process min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe
AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process
Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter` '
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: Some legitimate printer-related processes may show up as children
of spoolsv.exe. You should confirm that any activity as legitimate and may be added
as exclusions in the search.
references: []
tags:
analytic_story:
- Data Destruction
- Hermetic Wiper
- Windows Privilege Escalation
asset_type: Endpoint
confidence: 50
cve:
- CVE-2018-8440
impact: 50
message: tbd
mitre_attack_id:
- T1068
observable:
- name: user
type: User
role:
- Victim
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.process_name
- Processes.process
- Processes.parent_process_name
- Processes.process_name
- Processes.dest
- Processes.parent_process
- Processes.user
risk_score: 25
security_domain: endpoint