title: Windows Spooler Service Suspicious Binary Load id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14 status: experimental description: Detect suspicious DLL Load from Spooler Service backup folder references: - https://github.com/hhlxf/PrintNightmare author: FPT.EagleEye date: 2021/06/29 tags: - attack.persistence - attack.defense_evasion - attack.privilege_escalation - attack.t1574 - cve.2021-1675 logsource: category: image_load product: windows detection: selection: Image|endswith: - 'spoolsv.exe' ImageLoaded: - 'Windows\System32\spool\drivers\x64\3\old\*.dll' condition: selection falsepositives: - Possible. Requires further testing. level: high