Skip to content

Instantly share code, notes, and snippets.

@olafhartong

olafhartong/2021-1675-spooler-imageloads.kql

Last active August 3, 2021 17:34
Show Gist options
  • Star 9 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save olafhartong/af523adcd7df7706bae527af8fee1700 to your computer and use it in GitHub Desktop.
Save olafhartong/af523adcd7df7706bae527af8fee1700 to your computer and use it in GitHub Desktop.
Download ZIP
2021-1675 - PrintNightmare KQL - MDE
Raw
2021-1675-spooler-imageloads.kql
let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers
| join kind=inner (DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers") on SHA1
| where InitiatingProcessFileName != "ccmexec.exe"
// Optionally filter for only the print spooler to load the driver to make it specific to this attack
//| where InitiatingProcessFileName == "spoolsv.exe"
@GossiTheDog
Copy link

Suggestion - filter for spoolsv.exe, so avoid other processes adding drivers etc:

| where InitiatingProcessFileName == "spoolsv.exe"

@oden360
Copy link

oden360 commented Jul 1, 2021

also look at '\UNIDRV.DLL"as seen here https://github.com/cube0x0/CVE-2021-1675/blob/main/CVE-2021-1675.py#L40

@blebit18
Copy link

blebit18 commented Jul 1, 2021

Hi,
I am new to Sentinel. I hope you can help.
I get this message after copy-paste on my Sentinel:

'where' operator: Failed to resolve column or scalar expression named 'DeviceType'
If issue persists, please open a support ticket

Thank you

@olafhartong
Copy link
Author

thanks @GossiTheDog, added this

@blebit18 this is a Defender for Endpoint table, which does not appear to be available in Sentinel. So you'll have to query it there if you have that license

@zyrone27
Copy link

zyrone27 commented Jul 6, 2021

Hi @olafhartong, can you please explain what does this query do? I'm a newbie in KQL queries. Thank you so much

@BeinGreen
Copy link

@blebit18 The tables referenced by the query DO get fed to Azure Sentinel (with the 365 connector), so theoretically you could get the job done in Sentinel, but:

In line 2 change "DeviceType" to "Type"

and ugh, it's not as quick and dirty as I thought it would be, because:

In line 8 ... the "FileProfile" function seems to be unique to Defender's advanced hunting and not valid in Sentinel. I'm also not sure if the prevalence information referenced in line 9 is available in Sentinel so you may not be able to reconstruct this for Sentinel afterall (in the absence of MacGyvering a way to get more data into it).

An easy way to understand what the query is doing is to run pieces of it at a time. Do a query for just the "DeviceInfo" and "DeviceImageLoadEvents" tables for the last hour and look at the columns/fields in each and that will help understand what the query is doing.

I'm a mere mortal next to Gossi but it's looking for signs of the PrintNightmare attacks by looking for suspicious/unsigned print drivers being loaded. It does this by leveraging the information about the driver files in DeviceImageLoadEvents that are not widely seen, are not signed by Microsoft and don't contain a valid signature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment