Detection rules › Splunk
Print Spooler Failed to Load a Plug-in
The following analytic detects driver load errors in the Windows PrintService Admin logs, specifically identifying issues related to CVE-2021-34527 (PrintNightmare). It triggers on error messages indicating the print spooler failed to load a plug-in module, such as "meterpreter.dll," with error code 0x45A. This detection method leverages specific event codes and error messages. This activity is significant as it may indicate an exploitation attempt of a known vulnerability. If confirmed malicious, an attacker could gain unauthorized code execution on the affected system, leading to potential system compromise.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1547.012 Boot or Logon Autostart Execution: Print Processors |
| Privilege Escalation | T1547.012 Boot or Logon Autostart Execution: Print Processors |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| PrintService | 808 | The print spooler failed to load a plug-in module PluginDllName, error code ErrorCode. |
| PrintService | 4909 | Print Service event 4909 (manifest stub). |
Stages and Predicates
Stage 1: search
search (EventCode="4909" OR EventCode="808") ErrorCode="0x45A"
Stage 2: stats
stats BY OpCode, EventCode, ComputerName, Message
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ErrorCode | eq |
|
EventCode | eq |
|