Skip to main content

 

Splunk Lantern

Detecting print spooler attacks

 

As a security analyst, it is your job to stay on top of Microsoft's reports on common vulnerabilities and exposures. You have recently found out that Microsoft has reported on a number of vulnerabilities that may affect your network, and you need to identify whether any of your organization's Windows endpoints have been affected.

These vulnerabilities affect the print spooler service, which is enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation allows attackers to execute remote code in the target system in the context of the print spooler service, which then runs with escalated privileges. The PrintNightmare vulnerability is an example of this type of attack.

You can use Splunk software to investigate programs or binaries that executed on the infected system, examine connections the infected machine had to other network devices, construct a timeline of events, and create traffic flow diagrams to help visualize what happened.

How to use Splunk software for this use case

To deploy this use case, you need to import the Splunk ES Content Updates into your Splunk Security Essentials or Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. Some of the detections that can help you with this use case include:

Next steps

During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.

If your results indicate an attack has occurred, the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.

These additional resources might help you understand and implement this guidance:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.