id: 8f404352-c4ff-44d1-8d70-c50ee2fad8f8
name: PrintNightmare CVE-2021-1675 usage Detection
description: |
  This query looks for any file creations in the print spooler drivers folder.
description-detailed: |
  This hunting query digs in print spooler drivers folder for any file creations,
  MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Unsigned files
  or ones that don't have any relations to printers that you are using are
  suspicious.
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - DeviceFileEvents
tactics:
  - PrivilegeEscalation
  - LateralMovement
  - Execution
query: |
  DeviceFileEvents
  | where Timestamp > ago(7d)
  | where ActionType == "FileCreated"
  | where FolderPath startswith "C:\\WINDOWS\\SYSTEM32\\SPOOL\\drivers"
version: 1.0.0