Skip to content

Commit

Permalink
Update README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@ZephrFish
ZephrFish authored Jul 1, 2021
1 parent 7731e6b commit 2dc0452
Showing 1 changed file with 17 additions and 1 deletion.
18 changes: 17 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,5 +128,21 @@ Message="The Print Spooler service terminated unexpectedly"))
- https://twitter.com/NathanMcNulty/status/1410289115354914820
## KQL Query for Sentinel / MDE via Olaf Hartong
```
let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers
| join kind=inner (DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers") on SHA1
| where InitiatingProcessFileName != "ccmexec.exe"
```
https://twitter.com/olafhartong/status/1410229699993874442
Source: https://twitter.com/olafhartong/status/1410229699993874442

0 comments on commit 2dc0452

Please sign in to comment.