spoolsv.exe

  • File Path: C:\WINDOWS\system32\spoolsv.exe
  • Description: Spooler SubSystem App

Hashes

Type Hash
MD5 217A5227E768CC42CF52B2902C7EFA8C
SHA1 119662BE674BF95EC85F0AA9690B4F06DE272C17
SHA256 13B3E4725F07A2371B7B45BB3E53ED14438ABC38CED045D50BFF3DC840680C59
SHA384 6E9E7E57A2BBD9B9BABEED31D85A56CAED0D96AB60BA26956339D87DB04762C28A47AEA30023A93EA18293F4F4F48935
SHA512 C3F1A3E55ED2D26467D2F6C810A1C6978FEBD31EE59AC83E32FF92D8D7CF54E1BE914D9545A7F5251579405CBF57BB0CE9D0E4557FA1688CB1037A21F8A4CCE5
SSDEEP 12288:TntjB9Jl2BFaRCEe2Rv6VNWP3YT8pnFZ6NgMBjvHgbllJFhP4C/wWr9vPFPHYZsO:Ttl9eREJlJFhP4C/wWr9vPFPHYZs1deo

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: spoolsv.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of spoolsv.exe being misused. While spoolsv.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\spoolsv.exe' DRL 1.0
sigma file_delete_win_cve_2021_1675_printspooler_del.yml Image\|endswith: 'spoolsv.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\spoolsv.exe' DRL 1.0
sigma image_load_spoolsv_dll_load.yml Image\|endswith: 'spoolsv.exe' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\spoolsv.exe' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml description: Detects suspicious print spool service (spoolsv.exe) child processes. DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml spoolsv: DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml ParentImage\|endswith: \\spoolsv.exe DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml condition: spoolsv and ( DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\spoolsv.exe' DRL 1.0
sigma registry_event_add_port_monitor.yml Image: 'C:\Windows\System32\spoolsv.exe' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentcontrolset.yml Image: 'C:\Windows\System32\spoolsv.exe' DRL 1.0
atomic-red-team T1489.md This technique was used by WannaCry. Upon execution, if the spoolsv service was running “SUCCESS: The process “spoolsv.exe” with PID 2316 has been terminated.” MIT License. © 2018 Red Canary
atomic-red-team T1489.md will be displayed. If the service was not running “ERROR: The process “spoolsv.exe” not found.” will be displayed and it can be MIT License. © 2018 Red Canary
atomic-red-team T1489.md | process_name | Name of a process to kill | String | spoolsv.exe| MIT License. © 2018 Red Canary
atomic-red-team T1547.010.md <blockquote>Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. MIT License. © 2018 Red Canary
atomic-red-team T1547.010.md Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. MIT License. © 2018 Red Canary
signature-base generic_anomalies.yar description = “Detects uncommon file size of spoolsv.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “spoolsv.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.