PrintNightmare (CVE-2021–1675)

Mitigation

Detection Technique

let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers
| join kind=inner (DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers") on SHA1
| where InitiatingProcessFileName != "ccmexec.exe"

--

--

--

Cyber Security enthusiast, detection developer and engineer, researcher, consultant.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Installing multiple CUDA Libraries in the same machine

Overcoming The Whiteboarding Interview Jitters

Automated React-Native Release Tagging Using GitHub Actions

Benchling’s 2021 interns and their creations

Box API Integration Part 1: Ruby on Rails

Honest Review of TCM Security’s Practical Malware Analysis and Triage

Using HTTP status codes in Deno

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
redhead0ntherun

redhead0ntherun

Cyber Security enthusiast, detection developer and engineer, researcher, consultant.

More from Medium

How to use NFTX for Caboodles

Project to make Clone of Freshly- An E-commerce of Food

Quick Sort — [Introduction to Algorithms]

CS373 Spring 2022: Michael Tran