Suspicious files in spool folder

Hunt Hypothesis

Adversaries may leverage the spool folder to stage malicious files as part of a privilege escalation or persistence tactic. SOC teams should proactively hunt for this behavior to identify potential exploitation of known vulnerable drivers and prevent lateral movement in their Azure Sentinel environment.

KQL Query

DeviceFileEvents
| where FolderPath has @"System32\spool\drivers"
| project DeviceName,Timestamp,ActionType,FolderPath,FileName,SHA1

Analytic Rule Definition

id: 664afd0d-c979-4970-affe-fc17f01276fb
name: Suspicious files in spool folder
description: |
  Monitor for creation of suspicious files in the /spools/driver/ folder. This is a broad-based search that will surface any creation or modification of files in the folder targeted by this exploit. False Positives for legitimate driver activity (when that activity should be present) in this folder are possible
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
tactics:
- Privilege escalation
- Exploit
query: |
  DeviceFileEvents
  | where FolderPath has @"System32\spool\drivers"
  | project DeviceName,Timestamp,ActionType,FolderPath,FileName,SHA1

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Privilege escalation
Tactic: Exploit

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Exploits/Print Spooler RCE/Suspicious files in spool folder.yaml)

False Positive Guidance

Scenario: Scheduled Printer Driver Update Job
Description: A legitimate scheduled task runs to update printer drivers, which creates or modifies files in the /spools/driver/ folder.
Filter/Exclusion: Exclude files created by known printer management tools like CUPS (Common Unix Printing System) or Spooler services. Use a filter based on file names or process names like lpd or spoolsv.
Scenario: System Backup or Restore Operation
Description: A backup or restore process moves or creates files in the /spools/driver/ folder as part of a system recovery or maintenance task.
Filter/Exclusion: Exclude files with timestamps matching backup windows or those associated with backup tools like Veeam, Commvault, or Acronis. Use a time-based filter or process name exclusion.
Scenario: Administrative Printer Configuration Task
Description: An admin manually configures a printer, which results in temporary file creation in the /spools/driver/ folder.
Filter/Exclusion: Exclude files created by administrative tools such as Print Management (Windows) or system-config-printer (Linux). Use process name or user context (e.g., root, admin) to filter.
Scenario: Log File Rotation or Cleanup Job
Description: A log rotation or cleanup script moves or deletes files in the /spools/driver/ folder, triggering the rule due to file modification.
Filter/Exclusion: Exclude files with .log extensions or those created by log management tools like logrotate or rsyslog. Use file extension or process name filters.
Scenario: Third-Party Software Integration
Description: A third-party application (e.g., a document management system) integrates with the print spooler