Spoolsv Suspicious Loaded Modules

Spoolsv Suspicious Loaded Modules

Description

This search is to detect suspicious loading of dll in specific path relative to printnightmare exploitation. In this search we try to detect the loaded modules made by spoolsv.exe after the exploitation.

   Help

Spoolsv Suspicious Loaded Modules Help

To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

   Search

Open in Search