You need 48HRS to patch a 0DAY?

Azure Sentinel/Windows Defender something in that way. You are Tier 1? With such an answer? Please show your Line boss shortly and ask him what he says?

If you look at the sample for Sentinel/Windows Defender it in detail it does following 😉

* Check Not on workstations

* Make Sure it's not coming from Config Manager (Or SCCM)

* List all drivers and checks if they are signed valid

That's only detection the impact after you have already been hacked. That's like all the fancy SIEM Solutions like Rapid 7 (Metasploit for Managers)  when you see what happened AFTER it happened and the bomb exploded and all are dead.

Most of the times you don't need no face SIEM for that. You have an CEO-assistant who screams that's better.

Tell us how to prevent it somehow? Disable Spooler Service seems a nice approach.

let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers
| join kind=inner (DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers") on SHA1
| where InitiatingProcessFileName != "ccmexec.exe"

Hello,

Any update on this so far? Thank you!

----

I am curious what a test plan would entail for this? 

Aside from just making sure you can still print once you have machines that have the Expert Policy applied, what else would be something to test?

Update: 

IMPORTANT: As of July 6, 2021, Microsoft has released KB5005010, an out-of-band update to address CVE-2021-34257 Remote Code Execution. This update allows organizations to restrict Print Driver installation to Administrator groups exclusively. McAfee recommends customers apply this update as soon as possible.

For more information, see the Microsoft update release article at: KB5005010 - Restricting installation of new printer drivers after applying the July 6, 2021 updates.

Please follow the below thread or the KBA where we keep this information updated:

https://community.mcafee.com/t5/Endpoint-Security-ENS/ENS-coverage-for-CVE-2021-1675-PrintNightmare-...

Sincerely hope this helps!

Is there way to test the expert rule once you've added it?  Want to verify I've got my settings correct.  Would trying to install a new printer do it?

Hi, we have put this expert rule in place but can't figure out the syntax to exclude files that we require within our environment.

Would you or anyone be able to help me out with the syntax to exclude?  Below is what I have tried but not sure if it working correctly.

Rule {
Process {
Include OBJECT_NAME { -v "spoolsv.exe" }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\Old\\*\\*.dll" }
Exclude OBJECT_NAME { -v "C:\Windows\System32\spool\drivers\x64\3\New\FXS*.DLL" }
Exclude OBJECT_NAME { -v "C:\Windows\System32\spool\drivers\x64\3\Old\1\FXS.DLL" }
Exclude OBJECT_NAME { -v "C:\Windows\System32\spool\drivers\x64\3\New\LMUD1*.DLL" }
Exclude OBJECT_NAME { -v "C:\Windows\System32\spool\drivers\x64\3\New\SendToOneNote*.dll" }
Exclude OBJECT_NAME { -v "C:\Windows\System32\spool\drivers\x64\3\Old\1\SendToOneNote*.dll" }
Include -access "CREATE"
}
}
}

Any help would be great... 

Thanks Scott