Techniques
Sample rules
Print Spooler Failed to Load a Plug-in
- source: splunk
- technicques:
- T1547.012
- T1547
Description
The following analytic identifies driver load errors utilizing the Windows PrintService Admin logs. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Within the proof of concept code, the following error will occur - “The print spooler failed to load a plug-in module C:\Windows\system32\spool\DRIVERS\x64\3\meterpreter.dll, error code 0x45A. See the event user data for context information.” The analytic is based on file path and failure to load the plug-in. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.
Detection logic
`printservice` ((ErrorCode="0x45A" (EventCode="808" OR EventCode="4909")) OR ("The print spooler failed to load a plug-in module" OR "\\drivers\\x64\\"))
| stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `print_spooler_failed_to_load_a_plug_in_filter`