Techniques
Sample rules
Print Spooler Failed to Load a Plug-in
- source: splunk
- technicques:
- T1547.012
- T1547
Description
The following analytic detects driver load errors in the Windows PrintService Admin logs, specifically identifying issues related to CVE-2021-34527 (PrintNightmare). It triggers on error messages indicating the print spooler failed to load a plug-in module, such as “meterpreter.dll,” with error code 0x45A. This detection method leverages specific event codes and error messages. This activity is significant as it may indicate an exploitation attempt of a known vulnerability. If confirmed malicious, an attacker could gain unauthorized code execution on the affected system, leading to potential system compromise.
Detection logic
`printservice` ((ErrorCode="0x45A" (EventCode="808" OR EventCode="4909")) OR ("The print spooler failed to load a plug-in module" OR "\\drivers\\x64\\"))
| stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `print_spooler_failed_to_load_a_plug_in_filter`