zyrone27
olafhartong
/ 2021-1675-spooler-imageloads.kql
Last active
November 2, 2024 13:39
2021-1675 - PrintNightmare KQL - MDE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let serverlist=DeviceInfo | |
| | where DeviceType != "Workstation" | |
| | distinct DeviceId; | |
| let suspiciousdrivers=DeviceImageLoadEvents | |
| | where DeviceId in (serverlist) | |
| | where FolderPath startswith @"c:\windows\system32\spool\drivers" | |
| | distinct SHA1 | |
| | invoke FileProfile(SHA1, 1000) | |
| | where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid"; | |
| suspiciousdrivers |