detection.wiki

Microsoft-Windows-PrintService › Event 316

Event ID 316 — Printer driver param1 for param2 param3 was added or updated.

Provider
Microsoft-Windows-PrintService
Channel
Operational
Level
Informational
Task
Addingaprinterdriver
Opcode
SpoolerOperationSucceeded

Description

Printer driver param1 for param2 param3 was added or updated. Files:- param4. No user action is required.

Message #

Printer driver %1 for %2 %3 was added or updated. Files:- %4. No user action is required.

Fields #

NameDescription
param1 UnicodeString
param2 UnicodeString
param3 UnicodeString
param4 UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PrintService",
    "guid": "747EF6FD-E535-4D16-B510-42C90F6873A1",
    "event_source_name": "",
    "event_id": 316,
    "version": 0,
    "level": 4,
    "task": 8,
    "opcode": 11,
    "keywords": 4611686018427390208,
    "time_created": "2021-10-27T10:14:27.309949Z",
    "event_record_id": 153,
    "correlation": {},
    "execution": {
      "process_id": 2552,
      "thread_id": 4028
    },
    "channel": "Microsoft-Windows-PrintService/Operational",
    "computer": "fs03vuln.offsec.lan",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "DriverAdded": {
      "#attributes": {
        "xmlns": "http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events"
      },
      "Param1": "Generic / Text Only",
      "Param2": "Windows x64",
      "Param3": "Version-3",
      "Param4": "UNIDRV.DLL, UNIDRVUI.DLL, TTY.GPD, UNIDRV.HLP, TTYRES.DLL, TTY.INI, TTY.DLL, TTYUI.DLL, TTYUI.HLP, UNIRES.DLL, STDNAMES.GPD, STDDTYPE.GDL, STDSCHEM.GDL, STDSCHMX.GDL"
    }
  }
}

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

  • Print Spooler Adding A Printer Driver source: The following analytic detects the addition of new printer drivers by monitoring Windows PrintService operational logs, specifically EventCode 316. This detection leverages log data to identify messages indicating the addition or update of printer drivers, such as "kernelbase.dll" and "UNIDRV.DLL." This activity is significant as it may indicate exploitation attempts related to vulnerabilities like CVE-2021-34527 (PrintNightmare). If confirmed malicious, attackers could gain code execution or escalate privileges, potentially compromising the affected system. Immediate isolation and investigation of the endpoint are recommended.

References #