Under Review

HiveNightmare aka SeriousSAM vulnerability query

The Live Discover query below, from Sophos MTR, will identify processes that have accessed either the SAM, SECURITY, or SYSTEM Registry hive files in Shadow volumes.

It is optimized to minimize the number of accesses to the Sophos File Journal to enable hunts over wider periods of time. This is achieved by a single WHERE LIKE clause in the SELECT over the Sophos Journals, and a secondary SELECT with multiple ORs in the WHERE LIKE to filter results for SAM, SECURITY, and SYSTEM accesses to minimize the number of false positives.

The results show information about the process as well as the machine learning (ML) score, potentially unwanted application (PUA) score, local, and global reputation for the file corresponding to the process to aid in determining whether the file is suspicious or not.

-- $$startTime$$ DATE
-- $$endTime$$ DATE

WITH shadow_copy_file_events AS (
  SELECT
    datetime(sfj.time, 'unixepoch') AS time,
    sfj.subject,
    CASE sfj.eventType
      WHEN 0 THEN 'created'
      WHEN 1 THEN 'renamed'
      WHEN 2 THEN 'deleted'
      WHEN 3 THEN 'modified'
      WHEN 4 THEN 'hardLinkCreated'
      WHEN 5 THEN 'timestampsModified'
      WHEN 6 THEN 'permissionsModified'
      WHEN 7 THEN 'ownershipModified'
      WHEN 8 THEN 'accessed'
      WHEN 9 THEN 'binaryFileMapped'
    END eventType,
    sfj.sophosPID,
    spj.pathname as 'process_path',
    spj.processName,
    spj.cmdline,
    sfj.pathname,
    sfj.fileSize,
    spj.sha256,
    sfp.mlScore,
    sfp.puaScore,
    sfp.localRep,
    sfp.globalRep,
    datetime(sfj.creationTime, 'unixepoch') AS 'CreationTime',
    datetime(sfj.lastAccessTime, 'unixepoch') AS 'LastAccessTime',
    datetime(sfj.lastWriteTime, 'unixepoch') AS 'LastWriteTime',
    datetime(sfj.changeTime, 'unixepoch') AS 'ChangeTime'
  FROM sophos_file_journal sfj
  LEFT JOIN sophos_process_journal spj
    ON spj.sophosPID = sfj.sophosPID
  LEFT JOIN sophos_file_properties sfp 
    ON sfp.sha256 = spj.sha256
  WHERE sfj.pathname LIKE '\device\harddiskvolumeshadowcopy%\windows\system32\config\%'
    AND sfj.time > $$startTime$$
    AND sfj.time < $$endTime$$
)
SELECT *
FROM shadow_copy_file_events
WHERE
  pathname LIKE '\device\harddiskvolumeshadowcopy%\windows\system32\config\sam'
  OR pathname LIKE '\device\harddiskvolumeshadowcopy%\windows\system32\config\security'
  OR pathname LIKE '\device\harddiskvolumeshadowcopy%\windows\system32\config\system'