Unusual file creation activity in the print spooler drivers folder may indicate exploitation of CVE-2021-1675, as attackers often leverage this vulnerability to execute arbitrary code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of print spooler services and prevent lateral movement.
KQL Query
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where LocalPort == 445
| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime
id: ec1e131a-79cb-4f5c-b5e6-3edc5574ac68
name: printnightmare-cve-2021-1675 usage detection (1)
description: |
First query digs in print spooler drivers folder for any file creations,
MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Unsigned files
or ones that don't have any relations to printers that you are using are
suspicious.
Second query that can be used for finding client machines that
could be operating print servers or file servers is also included here.
As additional mitigation for the exploit you might want to block the
incoming traffic to the SMB or EPMAP Ports (445) if you need to keep the
spooler service running to print from clients.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Privilege escalation
- Lateral movement
- Exploit
query: |
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where LocalPort == 445
| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually updating printer drivers using a legitimate tool like Printer Spooler Service Management Tool or Print Management Console.
Filter/Exclusion: Exclude file creation events where the file path contains known legitimate printer driver directories (e.g., C:\Windows\System32\spool\drivers\), or filter by process name like printmsi.exe or spoolsv.exe.
Scenario: A scheduled job runs a PowerShell script to clean up old print jobs or manage print queues, which may involve file operations in the print spooler directory.
Filter/Exclusion: Exclude events where the process is powershell.exe and the command line includes known cleanup scripts or paths related to print management.
Scenario: An IT automation tool like Ansible, Chef, or Puppet is performing a configuration management task that involves modifying files in the print spooler directory.
Filter/Exclusion: Exclude events where the process is associated with known configuration management tools or where the file path matches standard configuration directories used by these tools.
Scenario: A software update or patching tool (e.g., Microsoft Update, WSUS, or SCCM) is deploying printer-related updates that involve file creation in the print spooler folder.
Filter/Exclusion: Exclude events where the process is associated with known patching tools or where the file path matches known update directories (e.g., C:\Windows\Temp\ or C:\Windows\SoftwareDistribution\).
Scenario: A third-party application (e.g., Adobe Acrobat, PDFCreator, or Ghostscript) is generating temporary files in the print spooler directory as part of its normal operation.
Filter/Exclusion: Exclude events where the file path contains known