Windows.System.PrinterDriver :: Velociraptor

Windows.System.PrinterDriver

This artifact will enumerate installed PrintDrivers using the Win32_PrinterDriver wmi class and parse each DriverPath, ConfigFile and DataFile.

Hunt by searching for untrusted binaries or suspicious removed binararies for evidence of previous exploitation.


name: Windows.System.PrinterDriver
author: Matt Green - @mgreen27
description: |
   This artifact will enumerate installed PrintDrivers using the
   Win32_PrinterDriver wmi class and parse each DriverPath, ConfigFile
   and DataFile.

   Hunt by searching for untrusted binaries or suspicious removed
   binararies for evidence of previous exploitation.

type: CLIENT

sources:
  - query: |
      LET Win32_PrinterDrivers = SELECT
            split(string=Name, sep=',')[0] as Name,
            SupportedPlatform,
            Version,
            DriverPath,
            ConfigFile,
            DataFile
          FROM wmi(query='SELECT * FROM Win32_PrinterDriver',namespace='root/CIMV2')

      SELECT * FROM Win32_PrinterDrivers

  - name: BinaryCheck
    query: |
      SELECT
            lowcase(string=Binary) as Binary,
            array(a1={
                SELECT Name FROM Win32_PrinterDrivers
                WHERE ( DriverPath = Binary OR ConfigFile = Binary OR DataFile = Binary )
            }) as DriverNames,
            hash(path=Binary) as Hash,
            parse_pe(file=Binary) as PE,
            authenticode(filename=Binary) as Authenticode
      FROM chain(
            a={
                SELECT Name, DriverPath as Binary, 'DriverPath' as Type
                FROM Win32_PrinterDrivers
            },
            b={
                SELECT Name as DriverName, ConfigFile as Binary, 'ConfigFile' as Type
                FROM Win32_PrinterDrivers
            },
            c={
                SELECT Name as DriverName, DataFile as Binary, 'DataFile' as Type
                FROM Win32_PrinterDrivers
            })
      GROUP BY lowcase(string=Binary)