How to Track PrintNightmare with Azure Sentinel

There’s been some recent flurry around what folks are calling #PrintNightmare. This has been identified as a Print Spooler flaw with POC code available.

For those customers wanting to know more about this, see: Windows Admins Scrambling to Contain ‘PrintNightmare’ Flaw Exposure | SecurityWeek.Com

There’s a couple things you can do to start:

  1. Install the June 2021 updates. This doesn’t fully resolve the current situation, but it does protect your environment against the other items covered for this month.
  2. If you can’t install the updates right now, you can at least turn off the Print Spooler service.

To monitor for this in your environment with Azure Sentinel, here’s a couple options:

  1. Connect the Security Events connector. Configure the agent to capture the Microsoft-Windows-PrintService/Admin log and build a query to look for EventID 808.
  2. Collect the extra DeviceFileEvents log in the M365 Defender Connector and use the following query: SentinelKQL/PrintNightmare.txt at master · rod-trent/SentinelKQL (github.com)

Also, please see the following guidance around the Print Spooler service and domain controllers and Active Directory admin systems:

Microsoft Defender for Identity Print spooler identity security posture assessments | Microsoft Docs

BTW: This is in no way intended to be a definitive answer to this situation. I’m only supplying some things I’ve used. Choose your own best path forward and if you identify something excellent — share it. Its Security. We’re all in this together.

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]

Author