The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
Guide to detect by SIEM:
Verify the Event logs are enabled:
Configure the WEF subscription to collect the logs from the above Event Viewers
* We recommend collecting the logs from all DC’s, Servers, and Workstations.
Parse the logs for getting additional data
- Create rules based on Windows Events IDs:
- 809,810,812 with path: C:\Windows\system32\spool\drivers\x64\3\Old*
- Create rules based on Anti-Virus signatures