CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe
After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity.
ATT&CK Detection
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Exploitation for Privilege Escalation | N/A | Privilege Escalation | Low |
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | command_line |
Applicable Sensors
Implementations
Splunk search - Unusual Child Process For Spoolsv.exe Or Connhost.exe (Splunk, Sysmon native)
This query looks for processes spawned by spoolsv.exe or connhost.exe externally, thus alerting us of potentially malicious activity.
(index=__your_sysmon_index__ EventCode=1) (Image=C:\\Windows\\System32\\spoolsv.exe* OR Image=C:\\Windows\\System32\\conhost.exe) ParentImage = "C:\\Windows\\System32\\cmd.exe"