uninstall or manual deletion of a legitimate printing driver files. verify the printer file metadata such as manufacturer and signature information.

t1068
windows
elastic

Techniques

T1068

Sample rules

Suspicious Print Spooler File Deletion

source: elastic
technicques:
- T1068

Description

Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.

Detection logic

file where host.os.type == "windows" and event.type == "deletion" and
  file.extension : "dll" and file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.dll" and
  not process.name : ("spoolsv.exe", "dllhost.exe", "explorer.exe")