Detecting print spooler attacks
As a security analyst, it is your job to stay on top of Microsoft's reports on common vulnerabilities and exposures. You have recently found out that Microsoft has reported on a number of vulnerabilities that may affect your network, and you need to identify whether any of your organization's Windows endpoints have been affected.
These vulnerabilities affect the print spooler service, which is enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation allows attackers to execute remote code in the target system in the context of the print spooler service, which then runs with escalated privileges. The PrintNightmare vulnerability is an example of this type of attack.
You can use Splunk software to investigate programs or binaries that executed on the infected system, examine connections the infected machine had to other network devices, construct a timeline of events, and create traffic flow diagrams to help visualize what happened.
- Microsoft: Windows event logs and Sysmon
- Endpoint data
How to use Splunk software for this use case
To deploy this use case, make sure that you have the Splunk ES Content Updates installed on your Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. If you do not have Splunk Enterprise Security, these detections will still give you an idea of what you can accomplish with SPL in the Splunk platform or with the free app, Splunk Security Essentials.
Some of the detections that can help you with this use case include:
- Print spooler adding a printer driver
- Print spooler failed to load a plug-in
- Rundll32 with no command line arguments with network
- Spoolsv spawning Rundll32
- Spoolsv suspicious loaded modules
- Spoolsv suspicious process access
- Spoolsv writing a DLL
- Spoolsv writing a DLL - Sysmon
- Suspicious Rundll32 no command line arguments
During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.
If your results indicate an attack has occurred, the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.
These additional resources might help you understand and implement this guidance:
Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.