Some attacks such as PrintNightmare use the print spooler to load printer drivers by utilizing the Windows PrintService operational logs using event code 316. This search detects instances of this taking place.
- Ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
source="WinEventLog:Microsoft-Windows-PrintService/Operational" EventCode=316 category = "Adding a printer driver" Message = "*kernelbase.dll,*" Message = "*UNIDRV.DLL,*" Message = "*.DLL.*" | stats count min(_time) AS firstTime max(_time) AS lastTime BY OpCode EventCode ComputerName Message
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|source="WinEventLog:Microsoft-Windows-PrintService/Operational"||Search Windows PrintService operational data.|
|EventCode=316||Search for entries logged to the PrintService admin.|
|category = "Adding a printer driver" Message IN ( "*kernelbase.dll,*" ,"*UNIDRV.DLL,*", "*.DLL.*")||
Search for message values that include the given strings.
|| stats count min(_time) AS firstTime max(_time) AS lastTime BY OpCode EventCode ComputerName Message||Returns values for the first and last times these events occurred, sorting by OpCode and the rest of the fields shown.|
Ensure you filter for false positives on this search.
During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.
If your results indicate an attack has occurred, the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.
Finally, you might be interested in other processes associated with the Detecting print spooler attacks use case.