THIS IS A EXPERIMENTAL DETECTION
This detection has been marked experimental by the Splunk Threat Research team. This means we have not been able to test, simulate, or build datasets for this detection. Use at your own risk. This analytic is NOT supported.
This search looks for child processes of spoolsv.exe. This activity is associated with a POC privilege-escalation exploit associated with CVE-2018-8440. Spoolsv.exe is the process associated with the Print Spooler service in Windows and typically runs as SYSTEM.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2020-03-16
- Author: Rico Valdez, Splunk
- ID: aa0c4aeb-5b18-41c4-8c07-f1442d7599df
Kill Chain Phase
- CIS 5
- CIS 8
|CVE-2018-8440||An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC), aka "Windows ALPC Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.||7.2|
1 2 3 4 5 6 | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter`
The SPL above uses the following Macros:
child_processes_of_spoolsv_exe_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model. Update the
children_of_spoolsv_filter macro to filter out legitimate child processes spawned by spoolsv.exe.
Known False Positives
Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search.
Associated Analytic Story
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 3