Windows.Monitoring.PrintNightmare

This artifact returns ETW PrintService events for potential PrintNightmare activity.
CVE-2021-1675 and CVE-2021-34527

It monitors for DRIVER_ADDED events and enriches with binary information for payload DataFile. Hunt for unexpected drivers with malicious DataFiles.

name: Windows.Monitoring.PrintNightmare
author: Matt Green - @mgreen27
description: |
  This artifact returns ETW PrintService events for potential PrintNightmare activity.  
  CVE-2021-1675 and CVE-2021-34527  
  
  It monitors for DRIVER_ADDED events and enriches with binary information for payload 
  DataFile. Hunt for unexpected drivers with malicious DataFiles.
  
type: CLIENT_EVENT
sources:
  - query: |
      -- Monitor ETW provider and extract enriched target events
      LET hits = SELECT
            System.TimeStamp AS EventTime,
            "Microsoft-Windows-PrintService" as Provider,
            System.ID as EventId,
            'DRIVER_ADDED' as Action,
            EventData,
            {
                SELECT 
                    split(string=Name, sep=',')[0] as Name,
                    SupportedPlatform,
                    Version,
                    DriverPath,
                    ConfigFile,
                    DataFile
                  FROM wmi(query='SELECT * FROM Win32_PrinterDriver',namespace='root/CIMV2')
                  WHERE Name = EventData.param1
            } as DriverInformation
        FROM watch_etw(guid="{747EF6FD-E535-4D16-B510-42C90F6873A1}",
            name=format(format="Velociraptor-%v-PrintService", args=now()))
        WHERE EventId = 316

      -- output rows and final binary enrichment
      SELECT
        EventTime,
        Provider,
        EventId,
        Action,
        EventData.param1 as Name,
        EventData.param2 as Platform,
        DriverInformation.Version as Version,
        if(condition=DriverInformation,
            then= dict(
                DriverPath=DriverInformation.DriverPath,
                ConfigFile=DriverInformation.ConfigFile,
                DataFile=DriverInformation.DataFile),
            else= EventData.param4) as Files,
        hash(path=DriverInformation.DataFile) as DataFileHash,
        parse_pe(file=DriverInformation.DataFile) as DataFilePE,
        authenticode(filename=DriverInformation.DataFile) as DataFileAuthenticode
      FROM hits