You might need to search for a print spooler failing to load a plug-in when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Technologies: Splunk Enterprise or Splunk Cloud Platform
- Data: Windows event logs
Some attacks such as PrintNightmare cause driver load errors utilizing the Windows PrintService Admin logs. This search detects instances of this taking place.
To optimize the search shown below, you should specify an index and a time range.
- Ensure PrintService Admin and operational logs are being logged to Splunk from critical or all systems.
- Run the following search:
source="WinEventLog:Microsoft-Windows-PrintService/Admin" ((ErrorCode="0x45A" (EventCode="808" OR EventCode="4909")) OR ("The print spooler failed to load a plug-in module" OR "\\drivers\\x64\\")) | stats count min(_time) AS firstTime max(_time) AS lastTime BY OpCode EventCode ComputerName Message
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|source="WinEventLog:Microsoft-Windows-PrintService/Admin"||Search Windows PrintService administrative data.|
|((ErrorCode="0x45A" (EventCode="808" OR EventCode="4909")) OR ("The print spooler failed to load a plug-in module" OR "\\drivers\\x64\\"))||Search for events with ErrorCode AND one of two possible EventCodes, and if not found look for events with one OR both of two possible strings as shown.|
|| stats count min(_time) AS firstTime max(_time) AS lastTime BY OpCode EventCode ComputerName Message||Returns values for the first and last times these errors occurred, sorting first by operational code, and then by the rest of the fields shown.|
Ensure you filter for false positives on this search.
During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.
If your results indicate an attack has occurred, the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.