ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT007
  • Created: 25th May 2024
  • Updated: 19th June 2024
  • Platform: Windows
  • Contributor: The ITM Team

Printed Documents via Event Logs

Windows logs print job activities to Event logs, containing information such as job creation, completion, errors, and adding or deleting printer devices.

 

Windows Logs -> System

Event ID 307 - A document was printed.

Event ID 310 - A document failed to print.

Event ID 701 - Printer status changed.

Event ID 703 - Printer object added.

Event ID 804 - Document resumed for printing.

Event ID 805 - Printer driver was installed.

 

Applications and Services Logs -> Microsoft -> Windows -> PrintService -> Operational

Event ID 808 - Printer driver was installed.

Event ID 843 - The print spooler failed to import the printer driver.

Event ID 1000 - Document print started.

Event ID 1001 - Document was printed.

Event ID 1100 - Printer was added.

Event ID 1101 - Printer was deleted.

Event ID 1200 - Print spooler service started.

Event ID 1201 - Print spooler service stopped.

Sections

ID Name Description
PR013Testing Ability to Print

A subject attempts to print a document from a system to identify if this capability is permitted, restricted, or not possible.

ME014Printing

A subject has the ability to print documents and other files.

IF006Unauthorized Printing of Documents

A subject exfiltrates information by printing it to paper or other physical medium.

IF006.001Printing of Documents with Personal Printer

A subject prints a document using a printer they own, physically exfiltrating the information.

IF006.002Printing of Documents with Work Printer

A subject prints a document using a printer owned by the organization, with the intent to physically exfiltrate the information.

ME014.001External Printing

A subject has the ability to print documents and other files with a printer outside of the organisation’s control.

IF002.005Exfiltration via Physical Documents

A subject tansports physical documents outside of the control of the organization.