Print Nightmare
Query
//PrintNightmare CVE-2021-1675
DeviceFileEvents
| where Timestamp > ago(1d)
| where FolderPath matches regex @'\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\([^1|2].*\.dll)|\\(MyExploit|evil|addCube|rev|rev2|main64|mimilib)\.dll$'Explanation
This query is searching for file events related to the PrintNightmare vulnerability (CVE-2021-1675). It filters the events to only include those that occurred within the last day and are related to specific DLL files located in the Windows System32 spool drivers folder. The DLL files being searched for have specific names that match a regular expression pattern.
Details

Rod Trent
Released: June 30, 2021
Tables
DeviceFileEvents
Keywords
DeviceFileEventsTimestampFolderPathmatchesregexWindowsSystem32spooldriversx64olddllMyExploiteviladdCuberevrev2main64mimilib
Operators
wherematches regex@ago|