Some attacks such as PrintNightmare use the print spooler to execute code in the target system with the aim of gaining escalated privileges.
As part of a process of detecting attacks on print spooler services in your network, you should first understand your exposure to this vulnerability. You can do this by using Splunk to assess how many endpoints in your network have the print spooler service enabled or running.
- Enable Universal Forwarders across your fleet.
- Enable the WinHostMon input from the Splunk Add-On for Microsoft Windows to report on the status of services on each server:
####### Host monitoring #######
interval = 600
disabled = 0
type = Service
3. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=WinHostMon source=service DisplayName="Print Spooler" | stats values(DisplayName) AS Disp_Name,values(StartMode) AS Start_mode,values(Started) AS Started,values(State) AS State BY host
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|sourcetype=WinHostMon source=service DisplayName="Print Spooler"||Search WinHostMon for the Print Spooler service.|
|| stats values(DisplayName) AS Disp_Name,values(StartMode) AS Start_mode,values(Started) AS Started,values(State) AS State BY host||
Return the values for the fields shown then sorting by host.
The results of this search can be used to track mitigation progress. Once you understand your exposure to this vulnerability, you can run additional searches to detect instances where print spooler attacks have occurred.