[Rule Tuning] Suspicious PrintSpooler Service Executable File Creation (#4976)

w0rk3r · tradebot-elastic · commit a9165f5d1462 · 2025-08-18T13:31:40.000Z
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> (cherry picked from commit 5f7b821)
diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/13"
 
 [rule]
 author = ["Elastic"]
@@ -87,54 +87,55 @@ event.category : "file" and host.os.type : "windows" and event.type : "creation"
 
 
 [[rule.filters]]
-
 [rule.filters.meta]
 negate = false
 [rule.filters.query.wildcard."file.path"]
 case_insensitive = true
 value = "?:\\\\Windows\\\\Sys?????\\\\*"
-[[rule.filters]]
 
+[[rule.filters]]
 [rule.filters.meta]
 negate = true
 [rule.filters.query.wildcard."file.path"]
 case_insensitive = true
 value = "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll"
-[[rule.filters]]
 
+[[rule.filters]]
 [rule.filters.meta]
 negate = true
 [rule.filters.query.wildcard."file.path"]
 case_insensitive = true
-value = "?:\\Windows\\Sys?????\\u005lrs.dll"
-[[rule.filters]]
+value = "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"
 
+[[rule.filters]]
 [rule.filters.meta]
 negate = true
 [rule.filters.query.wildcard."file.path"]
 case_insensitive = true
-value = "?:\\Windows\\system32\\spool\\DRIVERS\\u0064\\\\*.dll"
-[[rule.filters]]
+value = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll"
 
+[[rule.filters]]
 [rule.filters.meta]
 negate = true
 [rule.filters.query.wildcard."file.path"]
 case_insensitive = true
 value = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll"
-[[rule.filters]]
 
+[[rule.filters]]
 [rule.filters.meta]
 negate = true
 [rule.filters.query.wildcard."file.path"]
 case_insensitive = true
-value = "?:\\Windows\\system32\\spool\\PRTPROCS\\u0064\\\\*.dll"
-[[rule.filters]]
+value = "?:\\\\Windows\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll"
 
+[[rule.filters]]
 [rule.filters.meta]
 negate = true
 [rule.filters.query.wildcard."file.path"]
 case_insensitive = true
 value = "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll"
+
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
