Browse Live Discover and Response Queries by Category
Under Review

Printnightmare Hunting Query (Data Lake)

We've created a hunting query for possible infected cve-2021-1675 Hosts, based on this Sigma Rule: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/malware/av_printernightmare_cve_2021_1675.yml

The input variable "C:\Windows\System32\spool\drivers\x64\%"

SELECT
    meta_hostname AS ep_name,
    filename,
    path,
    ctime,
    sha1,
    sha256,
    file_size,
    ml_score,
    ml_score_data,
    pua_score,
    global_rep,
    global_rep_data,
    local_rep,
    local_rep_data,
    core_file_info
FROM xdr_data
WHERE
(path LIKE '$$filePath$$.exe' OR path LIKE '$$filePath$$.dll')
AND (local_rep_data like '%"isValid":0,"signer"%'
OR ml_score > 25
OR pua_score > 25)

reg1nleifr
Parents

  • Hi ,

    I tested this query to show all DLLs under the path "C:\Windows\System32\spool\drivers\x64\%".

    It looks like no DLL files are indexed in this table and the attack is based on loading malicious DLLs so the query won't help to detect the attack.

    SELECT
    meta_hostname AS ep_name,
    filename,
    path,
    ctime,
    sha1,
    sha256,
    file_size,
    ml_score,
    ml_score_data,
    pua_score,
    global_rep,
    global_rep_data,
    local_rep,
    local_rep_data,
    core_file_info
    FROM xdr_data
    WHERE
    (path LIKE '$$SpoolDriver$$.dll')

Comment

  • Hi ,

    I tested this query to show all DLLs under the path "C:\Windows\System32\spool\drivers\x64\%".

    It looks like no DLL files are indexed in this table and the attack is based on loading malicious DLLs so the query won't help to detect the attack.

    SELECT
    meta_hostname AS ep_name,
    filename,
    path,
    ctime,
    sha1,
    sha256,
    file_size,
    ml_score,
    ml_score_data,
    pua_score,
    global_rep,
    global_rep_data,
    local_rep,
    local_rep_data,
    core_file_info
    FROM xdr_data
    WHERE
    (path LIKE '$$SpoolDriver$$.dll')

Children
Unfiltered HTML