The hypothesis is that an adversary is using DLL side-loading techniques to execute malicious code by placing suspicious DLLs in the spool folder and loading them from a related directory. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential privilege escalation or persistence mechanisms.
KQL Query
DeviceFileEvents
| where FolderPath contains @"\system32\spool\drivers\x64\3\"
| where FileName endswith ".dll"
| where ActionType in ("FileCreated", "FileRenamed")
| join kind=inner DeviceImageLoadEvents on DeviceId,DeviceName,FileName,InitiatingProcessFileName
| where Timestamp1 >= Timestamp and FolderPath1 contains @"\system32\spool\drivers\x64\3\Old"
id: cabb3aa3-cbfa-4359-9464-a3093d8b44f3
name: Suspicious DLLs in spool folder
description: |
Look for the creation of suspicious DLL files spawned in the \spool\ folder along with DLLs that were recently loaded afterwards from \Old.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- DeviceImageLoadEvents
tactics:
- Privilege escalation
- Exploit
query: |
DeviceFileEvents
| where FolderPath contains @"\system32\spool\drivers\x64\3\"
| where FileName endswith ".dll"
| where ActionType in ("FileCreated", "FileRenamed")
| join kind=inner DeviceImageLoadEvents on DeviceId,DeviceName,FileName,InitiatingProcessFileName
| where Timestamp1 >= Timestamp and FolderPath1 contains @"\system32\spool\drivers\x64\3\Old"
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DeviceImageLoadEvents | Ensure this data connector is enabled |
Scenario: A legitimate system update or patching process places a temporary DLL in the spool folder as part of a Windows Update or Microsoft Intune deployment.
Filter/Exclusion: Exclude files with known update-related names such as wuaueng.dll, msiexec.exe, or files signed by Microsoft or Microsoft Update.
Scenario: A scheduled task runs a script that generates a temporary DLL in the spool folder for use in a print job or document processing.
Filter/Exclusion: Exclude files created by known scheduled tasks (e.g., PrintSpooler service, Task Scheduler tasks) or files with names matching common temporary DLL patterns (e.g., temp_*.dll).
Scenario: An administrator manually copies a DLL from the \\Old directory to the spool folder as part of a troubleshooting or testing activity.
Filter/Exclusion: Exclude files with known administrative tools or system files (e.g., eventvwr.exe, regedit.exe) or files with a source path containing \\Old and a destination path containing \\spool\\.
Scenario: A third-party print driver installation places a DLL in the spool folder during setup, and later loads it from the \\Old directory as part of the driver configuration.
Filter/Exclusion: Exclude files associated with known print drivers (e.g., hpqprint.dll, epsonprint.dll) or files with a timestamp matching the driver installation window.
Scenario: A legitimate system cleanup tool or disk defragmentation process temporarily moves DLLs from the \\Old directory to the spool folder during maintenance.
Filter/Exclusion: Exclude files moved by known system maintenance tools (e.g., Defragmenter, Disk Cleanup, System File Checker) or files with a source path containing \\Old and