children_of_spoolsv.yml

asset_type: Endpoint
confidence: medium
creation_date: '2018-11-26'
data_metadata:
  data_models:
    - Endpoint
  data_source:
    - Endpoint Intel
  providing_technologies:
    - Carbon Black Response
    - CrowdStrike Falcon
    - Sysmon
    - Tanium
    - Ziften
description: This search looks for child processes of spoolsv.exe. This activity is
  associated with a POC privilege-escalation exploit associated with CVE-2018-8440.
  Spoolsv.exe is the process associated with the Print Spooler service in Windows
  and typically runs as SYSTEM.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: dest, process_name, parent_process_name
        rule_description: A child process of spoolsv.exe was detected on $dest$.
        rule_title: Spoolsv.exe spawned a child process on $dest$
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 60
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name
        values(Processes.process) as process min(_time) as firstTime max(_time) as
        lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe
        AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process
        Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      suppress:
        suppress_fields: dest, parent_process_name
        suppress_period: 86400s
eli5: This search looks for child processes of spoolsv.exe, which is associated with
  the Print Spooler service on Windows. Children of this process typically run under
  the SYSTEM context. This search should address the POC developed for the Windows
  local-privilege-escalation exploit announced in September of 2018. The associated
  vulnerability was assigned CVE-2018-8440. More information is available at https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f.
entities:
  - dest
how_to_implement: You must be ingesting endpoint data that tracks process activity,
  including parent-child relationships from your endpoints to populate the Endpoint
  data model in the Processes node. The command-line arguments are mapped to the "process"
  field in the Endpoint data model.
id: aa0c4aeb-5b18-41c4-8c07-f1442d7599df
investigations:
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
    name: Get Authentication Logs For Endpoint
    type: splunk
  - id: fecf2918-670d-4f1c-872b-3d7317a41bf9
    name: Get Parent Process Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd71
    name: Get Process Info
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
known_false_positives: Some legitimate printer-related processes may show up as children
  of spoolsv.exe. You should confirm that any activity as legitimate and may be added
  as exclusions in the search.
maintainers:
  - company: Splunk
    email: rvaldez@splunk.com
    name: Rico Valdez
mappings:
  cis20:
    - CIS 5
    - CIS 8
  kill_chain_phases:
    - Exploitation
  mitre_attack:
    - Privilege Escalation
    - Exploitation for Privilege Escalation
  nist:
    - PR.AC
    - PR.PT
    - DE.CM
modification_date: '2018-12-03'
name: Child Processes of Spoolsv.exe
original_authors:
  - company: Splunk
    email: rvaldez@splunk.com
    name: Rico Valdez
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '2.0'