Unusual Print Spooler Child Processedit

Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation

Version: 2

Added (Elastic Stack release): 7.14.0

Last modified (Elastic Stack release): 7.14.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positivesedit

Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information.

Rule queryedit

process where event.type == "start" and process.parent.name :
"spoolsv.exe" and user.id : "S-1-5-18" and /* exclusions for FP
control below */ not process.name : ("splwow64.exe",
"PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe",
"route.exe", "WerFault.exe") and not process.command_line :
"*\\WINDOWS\\system32\\spool\\DRIVERS*" and not (process.name :
"net.exe" and process.command_line : ("*stop*", "*start*")) and not
(process.name : ("cmd.exe", "powershell.exe") and process.command_line
: ("*.spl*", "*\\program files*", "*route add*")) and not
(process.name : "netsh.exe" and process.command_line : ("*add
portopening*", "*rule name*")) and not (process.name : "regsvr32.exe"
and process.command_line : "*PrintConfig.dll*")

Threat mappingedit