PrintNightmare (CVE-2021–1675)

Mitigation

Detection Technique

let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers
| join kind=inner (DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers") on SHA1
| where InitiatingProcessFileName != "ccmexec.exe"

--

--

--

Cyber Security enthusiast, detection developer and engineer, researcher, consultant.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What a typical SQL interview looks like at a FAANG company

Kotlin - The next enterprise language

TL;DR Encourage your team to do what they want. Let them Level-Up!

The Undeniable Importance of Learning How to Code

How To Study Better As A Self-Taught Developer

[Guide] Releasing a Huawei Quick Game Using the LayaAir Engine

Data-Lake-Perform ETL activities using AWS Glue and EMR

Microservice Demo in On-Premise Kubernetes

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
redhead0ntherun

redhead0ntherun

Cyber Security enthusiast, detection developer and engineer, researcher, consultant.

More from Medium

Who can reset the CISO’s password?

The Great Instagram Runaround

Company Closeup: The Story Of McAfee

Power of using pseudonyms on the internet