Create Suspicious DLLs in spool folder.md

Exploits/Print Spooler RCE/Suspicious DLLs in spool folder.md

@@ -0,0 +1,34 @@
+# Suspicious DLLs in spool folder
+ 
+Look for the creation of suspicious DLL files spawned in the \spool\ folder along with DLLs that were recently loaded afterwards from \Old\. 
+
+## Query
+```
+DeviceFileEvents
+| where FolderPath contains @"\system32\spool\drivers\x64\3\"
+| where FileName endswith ".dll"
+| where ActionType in ("FileCreated", "FileRenamed")
+| join kind=inner DeviceImageLoadEvents on DeviceId,DeviceName,FileName,InitiatingProcessFileName
+| where Timestamp1 >= Timestamp and FolderPath1 contains @"\system32\spool\drivers\x64\3\Old" 
+```
+## Category
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|------------------------|----------|-------|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  | 
+| Privilege escalation | v |  |
+| Defense evasion |  |  | 
+| Credential Access |  |  | 
+| Discovery |  |  | 
+| Lateral movement |  |  | 
+| Collection |  |  | 
+| Command and control |  |  | 
+| Exfiltration |  |  | 
+| Impact |  |  |
+| Vulnerability |  |  |
+| Exploit | v |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+| Ransomware |  |  |