Skip to content

Instantly share code, notes, and snippets.

@Samirbous

Samirbous/Hunt for LPE via printnightmare

Last active July 9, 2021 03:52
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Samirbous/b87a0c78638a27abd3b1f417a2e11324 to your computer and use it in GitHub Desktop.
Save Samirbous/b87a0c78638a27abd3b1f417a2e11324 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Hunt for LPE via printnightmare
sequence by host.hostname with maxspan=1m
[network where network.direction : ("egress", "outgoing") and
process.name != "spoolsv.exe" and not network.protocol == "dns" and not user.name : "SYSTEM" and
source.port >= 49152 and destination.port >= 49152] by destination.address,source.address, destination.port, source.port
[network where process.name : "spoolsv.exe" and user.name : "SYSTEM" and
network.direction : ("ingress", "incoming") and
not network.protocol == "dns" and
source.port >= 49152 and destination.port >= 49152] by source.address, destination.address, destination.port, source.port
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment