Under Review

Printnightmare Hunting Query (Data Lake)

We've created a hunting query for possible infected cve-2021-1675 Hosts, based on this Sigma Rule: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/malware/av_printernightmare_cve_2021_1675.yml

The input variable "C:\Windows\System32\spool\drivers\x64\%"

SELECT
    meta_hostname AS ep_name,
    filename,
    path,
    ctime,
    sha1,
    sha256,
    file_size,
    ml_score,
    ml_score_data,
    pua_score,
    global_rep,
    global_rep_data,
    local_rep,
    local_rep_data,
    core_file_info
FROM xdr_data
WHERE
(path LIKE '$$filePath$$.exe' OR path LIKE '$$filePath$$.dll')
AND (local_rep_data like '%"isValid":0,"signer"%'
OR ml_score > 25
OR pua_score > 25)

Parents Comment Children