Try in Splunk Security Cloud

Description

The following analytic identifies driver load errors utilizing the Windows PrintService Admin logs. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare.
Within the proof of concept code, the following error will occur - "The print spooler failed to load a plug-in module C:\Windows\system32\spool\DRIVERS\x64\3\meterpreter.dll, error code 0x45A. See the event user data for context information."
The analytic is based on file path and failure to load the plug-in.
During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-07-01
  • Author: Mauricio Velazco, Michael Haag, Splunk
  • ID: 1adc9548-da7c-11eb-8f13-acde48001122

ATT&CK

ID Technique Tactic
T1547.012 Print Processors Persistence, Privilege Escalation
T1547 Boot or Logon Autostart Execution Persistence, Privilege Escalation
`printservice` ((ErrorCode="0x45A" (EventCode="808" OR EventCode="4909")) OR ("The print spooler failed to load a plug-in module" OR "\\drivers\\x64\\")) 
| stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `print_spooler_failed_to_load_a_plug_in_filter`

Associated Analytic Story

How To Implement

You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems.

Required field

  • _time
  • OpCode
  • EventCode
  • ComputerName
  • Message

Kill Chain Phase

  • Exploitation

Known False Positives

False positives are unknown and filtering may be required.

RBA

Risk Score Impact Confidence Message
72.0 80 90 Suspicious printer spooler errors have occured on endpoint $ComputerName$ with EventCode $EventCode$.

CVE

ID Summary CVSS
CVE-2021-34527 Windows Print Spooler Remote Code Execution Vulnerability 9.0
CVE-2021-1675 Windows Print Spooler Elevation of Privilege Vulnerability 9.3

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1