Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
PrinterNightmare Queries
// Based on https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Exploits/Print%20Spooler%20RCE
// adapted for Sysmon
let RegistryMods = Sysmon
| where EventID == 13
| where RegistryKey has_any ("Data File", "Configuration File") and RegistryKey has "Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3"
| project TimeGenerated, ProcessGuid, ProcessPath, RegistryKey, RegistryKeyDetails;
Sysmon
| where EventID == 11
| where ProcessPath endswith "spoolsv.exe"
| where FileName has "spool\\drivers\\x64\\3\\"
| join kind=inner RegistryMods on ProcessGuid
| where TimeGenerated1 >= TimeGenerated
| where FileName has RegistryKeyDetails1
| where RegistryKeyDetails1 !in ("kernelbase.dll", "FXSUI.DLL", "PrintConfig.dll", "PS5UI.DLL", "unishare.gpd")
| project TimeGenerated, ProcessGuid, FileName, RegistryKeyDetails1
| sort by TimeGenerated desc
// Based on https://www.reddit.com/r/crowdstrike/comments/oblzcl/20210701_cool_query_friday_printnightmare_poc/
// Query for Registry Mods
event_simpleName=ProcessRollup2
| rename FileName as PE, ImageFileName as PE_Path, TargetProcessId_decimal as ContextProcessId_decimal
| where PE=="spoolsv.exe"
| join ContextProcessId_decimal, aid
[search event_simpleName=AsepValueUpdate (RegObjectName="\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\*\\Data File" OR RegObjectName="\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\*\\Configuration File")]
| lookup local=true aid_master aid OUTPUT Version MachineDomain OU SiteName
| eval ProductType=case(ProductType = "1","Workstation", ProductType = "2","Domain Controller", ProductType = "3","Server")
| where ProductType=="Server" OR ProductType=="Domain Controller"
| stats values(TargetFileName) by ContextProcessId_decimal, aid, ProductType
// Query for File Writes
event_simpleName=ProcessRollup2
| rename FileName as PE, ImageFileName as PE_Path, TargetProcessId_decimal as ContextProcessId_decimal
| where PE=="spoolsv.exe"
| join ContextProcessId_decimal, aid
[search event_simpleName=PeFileWritten TargetFileName=*Windows\\System32\\spool\\drivers\\x64\\3\New\\*]
| lookup local=true aid_master aid OUTPUT Version MachineDomain OU SiteName
| eval ProductType=case(ProductType = "1","Workstation", ProductType = "2","Domain Controller", ProductType = "3","Server")
| where ProductType=="Server" OR ProductType=="Domain Controller"
| stats values(TargetFileName) by ContextProcessId_decimal, aid, ProductType
// Based on https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Exploits/Print%20Spooler%20RCE
DeviceFileEvents
| where FolderPath contains @"\system32\spool\drivers\x64\3\"
| where FileName endswith ".dll"
| where ActionType in ("FileCreated", "FileRenamed")
| join kind=inner DeviceRegistryEvents on DeviceId,DeviceName,InitiatingProcessFileName, InitiatingProcessId
| where FileName !in ("UNIDRV.DLL", "kernelbase.dll")
| where Timestamp1 >= Timestamp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment