Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
First query digs in print spooler drivers folder for any file creations, MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Unsigned files or ones that don't have any relations to printers that you are using are suspicious. Second query that can be used for finding client machines that could be operating print servers or file servers is also included here. As additional mitigation for the exploit you might want to block the incoming traffic to the SMB or EPMAP Ports (445) if you need to ke
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | ec1934d5-c591-4ff4-9968-079dba04d28e |
| Tactics | Privilege escalation, Lateral movement, Exploit |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
DeviceFileEvents |
ActionType == "FileCreated" |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊