1.8 KiB
printnightmare-cve-2021-1675 usage detection
First query digs in print spooler drivers folder for any file creations, MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Unsigned files or ones that don't have any relations to printers that you are using are suspicious.
Second query that can be used for finding client machines that could be operating print servers or file servers is also included here. As additional mitigation for the exploit you might want to block the incoming traffic to the SMB or EPMAP Ports (445) if you need to keep the spooler service running to print from clients.
Query
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FolderPath startswith "C:\\WINDOWS\\SYSTEM32\\SPOOL\\drivers"
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where LocalPort == 445
| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime
Category
This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|---|---|---|
| Initial access | ||
| Execution | ||
| Persistence | ||
| Privilege escalation | v | |
| Defense evasion | ||
| Credential Access | ||
| Discovery | ||
| Lateral movement | v | |
| Collection | ||
| Command and control | ||
| Exfiltration | ||
| Impact | ||
| Vulnerability | ||
| Exploit | v | |
| Misconfiguration | ||
| Malware, component | ||
| Ransomware |
Contributor info
Contributor: Carl Peter McCollough GitHub alias: YulelogPagoda Contact info: https://www.linkedin.com/in/petemccollough/