spoolsv.exe

  • File Path: C:\windows\system32\spoolsv.exe
  • Description: Spooler SubSystem App

Hashes

Type Hash
MD5 A2AF9AE023278708209F2411D31026E1
SHA1 DB7EA9E54E39ADAD99000FF1650FA2E21AADA6A6
SHA256 8304796552A5964AAF0561BB2DDDA63EDBBFE4502419E9CF037CB95CDA57EEC1
SHA384 7878FF4B1B80491728121C7413FF742D7AFDAC08C75CA6E2B936F23E94BB09928795E01227D78BE77DC9037BE00F9C10
SHA512 B10F6B5D74F48068CA9C2EF60582639F7BC51F8AACBEFC9F0BA348779C76CF9D718F9E6C731FF118D45366B1C6F858BF2C88867FF885E8B44931FFD144F51969
SSDEEP 24576:L/VR7+Rc6iXfswQbKv9UFOty9ITCOVGzkAMXAZPDfVAgo8nn1oYU:L/V94iPswQbKv9UFOty9ITCOVGzkAMXj

Signature

  • Status: The file C:\windows\system32\spoolsv.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: spoolsv.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of spoolsv.exe being misused. While spoolsv.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\spoolsv.exe' DRL 1.0
sigma file_delete_win_cve_2021_1675_printspooler_del.yml Image\|endswith: 'spoolsv.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\spoolsv.exe' DRL 1.0
sigma image_load_spoolsv_dll_load.yml Image\|endswith: 'spoolsv.exe' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\spoolsv.exe' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml description: Detects suspicious print spool service (spoolsv.exe) child processes. DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml spoolsv: DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml ParentImage\|endswith: \\spoolsv.exe DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml condition: spoolsv and ( DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\spoolsv.exe' DRL 1.0
sigma registry_event_add_port_monitor.yml Image: 'C:\Windows\System32\spoolsv.exe' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentcontrolset.yml Image: 'C:\Windows\System32\spoolsv.exe' DRL 1.0
atomic-red-team T1489.md This technique was used by WannaCry. Upon execution, if the spoolsv service was running “SUCCESS: The process “spoolsv.exe” with PID 2316 has been terminated.” MIT License. © 2018 Red Canary
atomic-red-team T1489.md will be displayed. If the service was not running “ERROR: The process “spoolsv.exe” not found.” will be displayed and it can be MIT License. © 2018 Red Canary
atomic-red-team T1489.md | process_name | Name of a process to kill | String | spoolsv.exe| MIT License. © 2018 Red Canary
atomic-red-team T1547.010.md <blockquote>Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. MIT License. © 2018 Red Canary
atomic-red-team T1547.010.md Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. MIT License. © 2018 Red Canary
signature-base generic_anomalies.yar description = “Detects uncommon file size of spoolsv.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “spoolsv.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.