Query Details
Print Nightmare
Query
//PrintNightmare CVE-2021-1675 DeviceFileEvents | where Timestamp > ago(1d) | where FolderPath matches regex @'\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\([^1|2].*\.dll)|\\(MyExploit|evil|addCube|rev|rev2|main64|mimilib)\.dll$'
Explanation
This query is searching for file events related to the PrintNightmare vulnerability (CVE-2021-1675). It filters the events to only include those that occurred within the last day and are related to specific DLL files located in the Windows System32 spool drivers folder. The DLL files being searched for have specific names that match a regular expression pattern.
Details
Rod Trent
Released: June 30, 2021
Tables
DeviceFileEvents
Keywords
DeviceFileEvents,Timestamp,FolderPath,matches,regex,Windows,System32,spool,drivers,x64,old,dll,MyExploit,evil,addCube,rev,rev2,main64,mimilib
Operators
wherematches regex@ago|