This note documents detection patterns related to Printer Bug within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | High | Authentication from coerced machine account to attacker-controlled host or relay target. |
| Security | 4769 | Kerberos service ticket request | High | Service tickets generated during coerced authentication. |
| Security | 4776 | NTLM authentication | Critical | Machine account authentication triggered via coercion. |
| Security | 5140 | Network share accessed | Medium | SMB authentication attempts triggered by coercion. |
| Sysmon | 3 | Network connection | Critical | Connection from coerced host to attacker system on SMB (445) or HTTP relay endpoints. |
| Sysmon | 1 | Process creation | Medium | Execution of tools triggering Printer Bug attack. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Authentication from machine account | Computer account authenticating unexpectedly | Critical | Printer Bug coerces machine authentication. |
| Outbound authentication from server | Server authenticating to unusual host | High | Common relay scenario indicator. |
| SMB connections initiated by domain controllers | DC initiating outbound SMB authentication | Critical | Often indicates coercion attempt. |
| Execution of coercion tools | Processes related to PrinterBug or SpoolSample | Critical | Direct evidence of exploitation. |
| NTLM authentication followed by relay activity | Authentication immediately used against other service | High | Indicates NTLM relay chain. |
Common Tools
| Tool | Usage |
|---|---|
| SpoolSample | Triggers Printer Bug coercion via MS-RPRN protocol. |
| PrinterBug.py | Impacket script exploiting printer service authentication. |
| ntlmrelayx | Relays coerced authentication to other services. |
| Coercer | Framework automating coercion attacks. |
| CrackMapExec | Used together with relay attacks. |
Relevant Artifacts
- Domain controller Security logs (4624, 4769, 4776)
- SMB authentication logs
- Network traffic logs showing outbound SMB connections
- Sysmon logs (1, 3)
- EDR telemetry identifying coercion tools
- Prefetch artifacts for PrinterBug or SpoolSample
- Authentication logs on relay target systems
- NTLM relay artifacts
MITRE ATT&CK References
- T1187 Forced Authentication
- T1557 Adversary-in-the-Middle
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
Decision Tree
- Is the suspicious event present?
- Identify machine account authentication events.
- What host generated the event?
- Determine which server initiated authentication.
- Is the authentication expected?
- Investigate whether machine normally authenticates to destination.
- Pivot:
- Source host → inspect execution of coercion tools.
- Destination host → analyze relay attempts.
- Network → inspect SMB authentication flows.
- Confirm exploitation
- Determine whether coerced authentication was relayed to escalate privileges.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4776
| where TargetUserName endswith "$"
DeviceNetworkEvents
| where RemotePort == 445
| summarize count() by RemoteIP, InitiatingProcessAccountName, bin(TimeGenerated,5m)
EQL
any where event.code == "4776"
Sigma
title: Suspicious Machine Account Authentication
id: printerbug-coercion-detection
status: experimental
description: Detects machine account authentication that may indicate Printer Bug coercion
logsource:
product: windows
service: security
detection:
selection:
EventID: 4776
condition: selection
fields:
- TargetUserName
- Workstation
falsepositives:
- Legitimate machine authentication
level: medium
tags:
- attack.lateral_movement
- attack.t1187
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Spooler service | Disable Print Spooler on domain controllers | Critical | Prevents exploitation of printer protocol. |
| NTLM restrictions | Disable or restrict NTLM authentication | High | Reduces relay attack surface. |
| SMB signing | Require SMB signing across domain | High | Prevents NTLM relay. |
| Monitoring | Alert on machine account outbound authentication | High | Detects coercion attempts. |
| Network segmentation | Limit SMB communication between servers | Medium | Reduces relay opportunities. |
| Registry | RegisterSpoolerRemoteRpcEndPoint set to 2<br><br>reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers" /v RegisterSpoolerRemoteRpcEndPoint /t REG_DWORD /d 2 /f<br><br>Requires machine restart!<br><br> | Critical | Disables Printer Spooler |