Spoolsv Spawning Rundll32

Hunt Hypothesis

Spoolsv.exe spawning rundll32.exe with an empty command line may indicate the execution of malicious code through process injection or reflective loading techniques. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threat (APT) activities or malware leveraging legitimate system processes for persistence and execution.

KQL Query

DeviceProcessEvents
| where InitiatingProcessParentFileName has "spoolsv.exe"
| where InitiatingProcessFileName =~ "rundll32.exe"
| where isempty(InitiatingProcessCommandLine) or InitiatingProcessCommandLine endswith "rundll32.exe" //either commandline is empty or just "rundll32.exe"
| where FileName !in~ ("WerFault.exe")

Analytic Rule Definition

id: 49fb12a4-f0e9-4f18-a468-9722717774c6
name: Spoolsv Spawning Rundll32
description: |
  Look for the spoolsv.exe launching rundll32.exe with an empty command line
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Privilege escalation
- Exploit
query: |
  DeviceProcessEvents
  | where InitiatingProcessParentFileName has "spoolsv.exe"
  | where InitiatingProcessFileName =~ "rundll32.exe"
  | where isempty(InitiatingProcessCommandLine) or InitiatingProcessCommandLine endswith "rundll32.exe" //either commandline is empty or just "rundll32.exe"
  | where FileName !in~ ("WerFault.exe")

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Privilege escalation
Tactic: Exploit

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Exploits/Print Spooler RCE/Spoolsv Spawning Rundll32.yaml)

False Positive Guidance

Scenario: Scheduled Job Running Rundll32 for Printer Management
Description: A legitimate scheduled task is configured to run rundll32.exe as part of printer management or driver updates.
Filter/Exclusion: Exclude processes launched by scheduled tasks with known printer-related command lines (e.g., rundll32.exe "C:\Windows\System32\spool\printers\prnport.dll",AddPort).
Scenario: Admin Task Using Rundll32 for DLL Injection
Description: A system administrator is using rundll32.exe to load a DLL for custom system management or scripting purposes.
Filter/Exclusion: Exclude processes initiated by admin accounts with known legitimate DLL injection patterns (e.g., rundll32.exe "C:\Windows\System32\mydll.dll",MyFunction).
Scenario: Group Policy Processing via Rundll32
Description: Group Policy processing may invoke rundll32.exe to execute DLLs that handle policy settings or registry updates.
Filter/Exclusion: Exclude processes launched during Group Policy processing (e.g., rundll32.exe "C:\Windows\System32\gpmc.dll",ProcessGPO).
Scenario: Antivirus or Endpoint Protection Tool Using Rundll32
Description: A legitimate endpoint protection tool uses rundll32.exe to load a DLL for real-time monitoring or threat detection.
Filter/Exclusion: Exclude processes with known AV/EDR tool paths (e.g., rundll32.exe "C:\Program Files\EndpointProtection\mydll.dll",Scan).
Scenario: Microsoft Print Spooler Service Initialization
Description: The spoolsv.exe service may