Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit privilege escalation vulnerabilities related to the print spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.
Rule type: eql
Risk score: 73
Runs every: 5m
Maximum alerts per execution: 100
- Threat Detection
- Privilege Escalation
Rule license: Elastic License v2
/* This rule is compatible with both Sysmon and Elastic Endpoint */ file where process.name : "spoolsv.exe" and file.name : ("kernelbase.dll", "ntdll.dll", "kernel32.dll", "winhttp.dll", "user32.dll") and file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*"
Framework: MITRE ATT&CKTM