Use MDfE to hunt for PrintNightmare

We have the last week tried to patch endpoints for the PrintNightmare Vulnerability(CVE-2021-34527) – and Microsoft still have an open gab for this.

But to follow the patching – here Microsoft Defender for Endpoint gets handy. Specially with the Advanced Hunting.

Query to search for Windows 10 devices that is patched:

DeviceInfo
| where MachineGroup == "INSERT GROUP NAME"
| join kind = inner DeviceEvents on DeviceId
| where FolderPath contains "Windows10.0-KB5004945"
or FolderPath contains "Windows10.0-KB5004946"
or FolderPath contains "Windows10.0-KB5004947"
or FolderPath contains "Windows10.0-KB5004948"
or FolderPath contains "Windows10.0-KB5004950"
| distinct DeviceName

Query to search for Windows 10 devices that still have the vulnerability

DeviceInfo
| where MachineGroup == "INSERT GROUP NAME"
| join kind = inner DeviceTvmSoftwareVulnerabilities on DeviceId
| where OSPlatform == "Windows10"
| where CveId == "CVE-2021-34527"
| summarize CVE_Total = count(), makeset(CveId) by DeviceName, OSPlatform
| sort by CVE_Total asc