zyrone27 · July 6, 2021 00:31
diff --git a/2021-1675-spooler-imageloads.kql b/2021-1675-spooler-imageloads.kql
 let serverlist=DeviceInfo
 | where DeviceType != "Workstation"
 | distinct DeviceId;
 let suspiciousdrivers=DeviceImageLoadEvents
 | where DeviceId in (serverlist)
 | where FolderPath startswith @"c:\windows\system32\spool\drivers"
 | distinct SHA1
 | invoke FileProfile(SHA1, 1000) 
 | where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
 suspiciousdrivers
 | join kind=inner (DeviceImageLoadEvents
 | where DeviceId in (serverlist)
 | where FolderPath startswith @"c:\windows\system32\spool\drivers") on SHA1
 | where InitiatingProcessFileName != "ccmexec.exe"
 // Optionally filter for only the print spooler to load the driver to make it specific to this attack
 //| where InitiatingProcessFileName == "spoolsv.exe"
	let serverlist=DeviceInfo
	\| where DeviceType != "Workstation"
	\| distinct DeviceId;
	let suspiciousdrivers=DeviceImageLoadEvents
	\| where DeviceId in (serverlist)
	\| where FolderPath startswith @"c:\windows\system32\spool\drivers"
	\| distinct SHA1
	\| invoke FileProfile(SHA1, 1000)
	\| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
	suspiciousdrivers
	\| join kind=inner (DeviceImageLoadEvents
	\| where DeviceId in (serverlist)
	\| where FolderPath startswith @"c:\windows\system32\spool\drivers") on SHA1
	\| where InitiatingProcessFileName != "ccmexec.exe"
	// Optionally filter for only the print spooler to load the driver to make it specific to this attack
	//\| where InitiatingProcessFileName == "spoolsv.exe"