Windows Spooler Service Suspicious File Creation

Hunt Hypothesis

Adversaries may leverage the Windows Spooler Service to execute malicious DLLs by creating suspicious files in the print spooler drivers folder, which can lead to code execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or execution tactics early.

KQL Query

DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FileName endswith ".dll"
| where FolderPath startswith "C:\\WINDOWS\\SYSTEM32\\SPOOL\\drivers\\x64\\\3\\"
   or FolderPath startswith "C:\\WINDOWS\\SYSTEM32\\SPOOL\\drivers\\x64\\\4\\"

Analytic Rule Definition

id: 67309406-12ad-4591-84db-0cc331634d0c
name: Windows Spooler Service Suspicious File Creation
description: |
  The query digs in Windows print spooler drivers folder for any file creations,
  MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Suspicious DLL is load from Spooler Service backup folder. 
  This behavior is used from PoC Exploit of CVE-2021-34527, CVE-2021-1675 or CVE-2022-21999.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
tactics:
- Privilege escalation
- Lateral movement
- Exploit
relevantTechniques:
- t1574
query: |
  DeviceFileEvents
  | where Timestamp > ago(7d)
  | where ActionType == "FileCreated"
  | where FileName endswith ".dll"
  | where FolderPath startswith "C:\\WINDOWS\\SYSTEM32\\SPOOL\\drivers\\x64\\\3\\"
     or FolderPath startswith "C:\\WINDOWS\\SYSTEM32\\SPOOL\\drivers\\x64\\\4\\"

Required Data Sources

MITRE ATT&CK Context

• Tactic: Privilege escalation
• Tactic: Lateral movement
• Tactic: Exploit
• Technique: Tt1574 — Tt1574

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Exploits/print-pooler-service-suspicious-file-creation.yaml)

False Positive Guidance

• Scenario: Scheduled Print Job Backup
  Description: A scheduled task or script regularly backs up print jobs to the spooler directory, creating .spl or .log files.
  Filter/Exclusion: Check for file extensions like .spl, .log, or .tmp and exclude files created by known backup processes or scheduled tasks (e.g., PrintQueueBackupTask).

• Scenario: Administrative Print Driver Installation
  Description: An admin installs a new printer driver via the Print Management console, which places a .dll or .sys file in the spooler directory.
  Filter/Exclusion: Exclude files created by the PrintManagement service or during the execution of pnputil or Add Printer Driver commands.

• Scenario: Windows Update or Patch Deployment
  Description: A Windows Update or patching tool (e.g., Microsoft Endpoint Configuration Manager, SCCM, or Windows Server Update Services) places temporary files in the spooler directory during deployment.
  Filter/Exclusion: Exclude files created by processes like wuauserv, svchost.exe (with wuauserv as the parent), or known patching tools.

• Scenario: Third-Party Printer Driver Installation
  Description: A third-party printer driver (e.g., HP, Canon, or Epson) is installed, which places a .dll or .sys file in the spooler directory.
  Filter/Exclusion: Exclude files with known vendor names or those created by the PrintUI or PrintDriverManager tools.

• Scenario: Log File Generation by Print Spooler Service
  Description: The Windows Print Spooler service generates log files (e.g., spooler.log) in the spooler directory as