REVIEWED by Sophos
To search for services on your computers which expose the computer to the classic Unquoted Service Path vulnerability, the following basic command could be run:
SELECT name, path FROM services WHERE path LIKE "% %" AND path LIKE "%.exe";
To break this down, the query is looking for services where the ImagePath value for the service has at least one space ("% %") AND the path ends in ".exe".
This would work as an example if the "Sophos Device Control Service" ImagePath value under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Device Control Service
had a value of:
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sdcservice.exe
This would return that the "Sophos Device Control Service" service was vulnerable.
Of course, the ImagePath value for a service could also have a path where there are arguments to the service binary, for example, the Sophos Clean service ImagePath is:
"C:\Program Files (x86)\Sophos\Clean\SophosCleanM.exe" /service
If this was unquoted it wouldn't be returned with the above query as the string does not end in .exe, we need something that covers:
- C:\1 2\3.exe
- C:\1\2 3\4.exe
- C:\1 2\3.exe /5
- C:\1 2\3.exe -5
but does not return for example:
- C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p
In which case a better query might be:
SELECT name, path FROM services WHERE path not LIKE '% %.exe"%' and path like '% %.exe%'
In this refined query, we are interested in finding paths where there is not a quote after the exe AND there is a space in the path before the exe.
I'm sure it could be honed further and osquery does support regex with regex_match as detailed here: https://osquery.readthedocs.io/en/stable/introduction/sql/ but this should cover the 99.9%.