Under Review

over 3 years ago

Printnightmare Hunting Query (Data Lake)

We've created a hunting query for possible infected cve-2021-1675 Hosts, based on this Sigma Rule: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/malware/av_printernightmare_cve_2021_1675.yml

The input variable "C:\Windows\System32\spool\drivers\x64\%"

SELECT
    meta_hostname AS ep_name,
    filename,
    path,
    ctime,
    sha1,
    sha256,
    file_size,
    ml_score,
    ml_score_data,
    pua_score,
    global_rep,
    global_rep_data,
    local_rep,
    local_rep_data,
    core_file_info
FROM xdr_data
WHERE
(path LIKE '$$filePath$$.exe' OR path LIKE '$$filePath$$.dll')
AND (local_rep_data like '%"isValid":0,"signer"%'
OR ml_score > 25
OR pua_score > 25)

reg1nleifr

Top Comments

Dennis Barnekow over 3 years ago in reply to reg1nleifr +1

Yes the data lake is active in our system. When I change the query to " WHERE (path LIKE '$$SpoolDriver$$.exe')" I get results, but the query WHERE (path LIKE '$$SpoolDriver$$.dll') is not receiving any…

Parents

reg1nleifr over 3 years ago

Similar to this is the non-data lake query that we've been using.

SELECT
   path,
   directory,
   filename,
   inode,
   uid,
   gid,
   mode,
   device,
   size,
   block_size,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(atime,'unixepoch')) atime,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(mtime,'unixepoch')) mtime,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(ctime,'unixepoch')) ctime,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(btime,'unixepoch')) btime,
   hard_links,
   symlink,
   type,
   attributes,
   volume_serial,
   file_id,
   product_version,
   bsd_flags
FROM file
WHERE
    mtime > $$startTime$$
    AND ((path LIKE '$$filePath$$.exe' OR path LIKE '$$filePath$$.dll'))

Comment

reg1nleifr over 3 years ago

Similar to this is the non-data lake query that we've been using.

SELECT
   path,
   directory,
   filename,
   inode,
   uid,
   gid,
   mode,
   device,
   size,
   block_size,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(atime,'unixepoch')) atime,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(mtime,'unixepoch')) mtime,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(ctime,'unixepoch')) ctime,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(btime,'unixepoch')) btime,
   hard_links,
   symlink,
   type,
   attributes,
   volume_serial,
   file_id,
   product_version,
   bsd_flags
FROM file
WHERE
    mtime > $$startTime$$
    AND ((path LIKE '$$filePath$$.exe' OR path LIKE '$$filePath$$.dll'))

Children

reg1nleifr over 3 years ago in reply to reg1nleifr

I had some weird results with the query above. This one seems to be more reliable when querying live endpoints.

SELECT
   path,
   directory,
   filename,
   inode,
   uid,
   gid,
   mode,
   device,
   size,
   block_size,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(atime,'unixepoch')) atime,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(mtime,'unixepoch')) mtime,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(ctime,'unixepoch')) ctime,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(btime,'unixepoch')) btime,
   hard_links,
   symlink,
   type,
   attributes,
   volume_serial,
   file_id,
   product_version,
   bsd_flags
FROM file
WHERE
    mtime > $$startTime$$
    AND (path LIKE '$$filePath$$%' AND 
    (filename like '%.dll' OR filename like '%.exe'))

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Printnightmare Hunting Query (Data Lake)

Top Comments