-
-
Save olafhartong/af523adcd7df7706bae527af8fee1700 to your computer and use it in GitHub Desktop.
| let serverlist=DeviceInfo | |
| | where DeviceType != "Workstation" | |
| | distinct DeviceId; | |
| let suspiciousdrivers=DeviceImageLoadEvents | |
| | where DeviceId in (serverlist) | |
| | where FolderPath startswith @"c:\windows\system32\spool\drivers" | |
| | distinct SHA1 | |
| | invoke FileProfile(SHA1, 1000) | |
| | where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid"; | |
| suspiciousdrivers | |
| | join kind=inner (DeviceImageLoadEvents | |
| | where DeviceId in (serverlist) | |
| | where FolderPath startswith @"c:\windows\system32\spool\drivers") on SHA1 | |
| | where InitiatingProcessFileName != "ccmexec.exe" | |
| // Optionally filter for only the print spooler to load the driver to make it specific to this attack | |
| //| where InitiatingProcessFileName == "spoolsv.exe" |
Hi @olafhartong, can you please explain what does this query do? I'm a newbie in KQL queries. Thank you so much
@blebit18 The tables referenced by the query DO get fed to Azure Sentinel (with the 365 connector), so theoretically you could get the job done in Sentinel, but:
In line 2 change "DeviceType" to "Type"
and ugh, it's not as quick and dirty as I thought it would be, because:
In line 8 ... the "FileProfile" function seems to be unique to Defender's advanced hunting and not valid in Sentinel. I'm also not sure if the prevalence information referenced in line 9 is available in Sentinel so you may not be able to reconstruct this for Sentinel afterall (in the absence of MacGyvering a way to get more data into it).
An easy way to understand what the query is doing is to run pieces of it at a time. Do a query for just the "DeviceInfo" and "DeviceImageLoadEvents" tables for the last hour and look at the columns/fields in each and that will help understand what the query is doing.
I'm a mere mortal next to Gossi but it's looking for signs of the PrintNightmare attacks by looking for suspicious/unsigned print drivers being loaded. It does this by leveraging the information about the driver files in DeviceImageLoadEvents that are not widely seen, are not signed by Microsoft and don't contain a valid signature.
thanks @GossiTheDog, added this
@blebit18 this is a Defender for Endpoint table, which does not appear to be available in Sentinel. So you'll have to query it there if you have that license