The hypothesis is that an adversary is leveraging the PrintNightmare vulnerability (CVE-2021-1675) by creating unsigned or suspicious files in the print spooler drivers folder to escalate privileges or maintain persistence. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential exploitation of this known vulnerability before it leads to a full compromise.
KQL Query
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FolderPath startswith "C:\\WINDOWS\\SYSTEM32\\SPOOL\\drivers"
id: ec1934d5-c591-4ff4-9968-079dba04d28e
name: printnightmare-cve-2021-1675 usage detection
description: |
First query digs in print spooler drivers folder for any file creations,
MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Unsigned files
or ones that don't have any relations to printers that you are using are
suspicious.
Second query that can be used for finding client machines that
could be operating print servers or file servers is also included here.
As additional mitigation for the exploit you might want to block the
incoming traffic to the SMB or EPMAP Ports (445) if you need to keep the
spooler service running to print from clients.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Privilege escalation
- Lateral movement
- Exploit
query: |
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FolderPath startswith "C:\\WINDOWS\\SYSTEM32\\SPOOL\\drivers"
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually updating printer drivers using a legitimate tool like Printer Spooler Configuration Tool or Print Management Console.
Filter/Exclusion: Exclude file creations in the print spooler directory (C:\Windows\System32\spool\drivers) that originate from known administrative tools or are signed by Microsoft.
Scenario: A scheduled job runs to generate printer configuration files for a fleet of printers using Windows Printer Management or Group Policy Preferences.
Filter/Exclusion: Exclude file creations that occur during known maintenance windows or are associated with GPO or SCCM tasks.
Scenario: A developer is testing a custom print spooler service or third-party print driver using Print Spooler API or Windows Driver Kit (WDK).
Filter/Exclusion: Exclude file creations that are associated with development tools or are signed by trusted third-party vendors.
Scenario: A user is using Microsoft Print to PDF or XPS Document Writer to generate documents, which creates temporary files in the print spooler directory.
Filter/Exclusion: Exclude file creations that match known PDF/XPS printer driver patterns or are associated with user-generated documents.
Scenario: A system update or patching process (e.g., via Windows Update or System Center Configuration Manager) deploys new print spooler components.
Filter/Exclusion: Exclude file creations that occur during known update windows or are associated with Microsoft update packages.