spoolsv.exe
- File Path:
C:\Windows\system32\spoolsv.exe - Description: Spooler SubSystem App
Hashes
| Type | Hash |
|---|---|
| MD5 | 097D2C4BC86ABE630CA8B879FE0543B6 |
| SHA1 | 17C8C7C153B869FB626183ED33ED2CFCBE97FB87 |
| SHA256 | 120DA7561842AB914590EBA1A13E2F1A8171198C47FA0543C5FFF9948A2372C0 |
| SHA384 | 39A36BC09C8C9D904F2D42EA339BB48EAA16F0C236A40E237A1FD8AD16B6A71FE6A66660958BEABFD6DDA9CC0B256FD9 |
| SHA512 | DF5F755629BDBC6F4CAA14128B2FE5E897FC95856CB64E9108E5E83D30F840A5EA05E9F99DF79C83935724B24B86EF9A22CEC8F148E53F01370D9ACE2A4809C0 |
| SSDEEP | 24576:eRaOT7uuhdzDLt4UImXsfeCUqj8tSBY5QChg32NbF05KT:eRrTiuhdzDLt4UImXsfeCUqj8tSBY5QE |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: spoolsv.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of spoolsv.exe being misused. While spoolsv.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | sysmon_suspicious_remote_thread.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | file_delete_win_cve_2021_1675_printspooler_del.yml | Image\|endswith: 'spoolsv.exe' |
DRL 1.0 |
| sigma | file_event_win_creation_system_file.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | image_load_spoolsv_dll_load.yml | Image\|endswith: 'spoolsv.exe' |
DRL 1.0 |
| sigma | proc_creation_win_abusing_debug_privilege.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | description: Detects suspicious print spool service (spoolsv.exe) child processes. |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | spoolsv: |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | ParentImage\|endswith: \\spoolsv.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | condition: spoolsv and ( |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | registry_event_add_port_monitor.yml | Image: 'C:\Windows\System32\spoolsv.exe' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_currentcontrolset.yml | Image: 'C:\Windows\System32\spoolsv.exe' |
DRL 1.0 |
| atomic-red-team | T1489.md | This technique was used by WannaCry. Upon execution, if the spoolsv service was running “SUCCESS: The process “spoolsv.exe” with PID 2316 has been terminated.” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1489.md | will be displayed. If the service was not running “ERROR: The process “spoolsv.exe” not found.” will be displayed and it can be | MIT License. © 2018 Red Canary |
| atomic-red-team | T1489.md | | process_name | Name of a process to kill | String | spoolsv.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.010.md | <blockquote>Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.010.md | Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. | MIT License. © 2018 Red Canary |
| signature-base | generic_anomalies.yar | description = “Detects uncommon file size of spoolsv.exe” | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | and filename == “spoolsv.exe” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.