Printnightmare Hunting Query (Data Lake)

We've created a hunting query for possible infected cve-2021-1675 Hosts, based on this Sigma Rule: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/malware/av_printernightmare_cve_2021_1675.yml

The input variable "C:\Windows\System32\spool\drivers\x64\%"

SELECT
    meta_hostname AS ep_name,
    filename,
    path,
    ctime,
    sha1,
    sha256,
    file_size,
    ml_score,
    ml_score_data,
    pua_score,
    global_rep,
    global_rep_data,
    local_rep,
    local_rep_data,
    core_file_info
FROM xdr_data
WHERE
(path LIKE '$$filePath$$.exe' OR path LIKE '$$filePath$$.dll')
AND (local_rep_data like '%"isValid":0,"signer"%'
OR ml_score > 25
OR pua_score > 25)

reg1nleifr

Top Comments

Dennis Barnekow over 3 years ago in reply to reg1nleifr +1

Yes the data lake is active in our system. When I change the query to " WHERE (path LIKE '$$SpoolDriver$$.exe')" I get results, but the query WHERE (path LIKE '$$SpoolDriver$$.dll') is not receiving any…

Parents

Dennis Barnekow over 3 years ago

Hi reg1nleifr,

I tested this query to show all DLLs under the path "C:\Windows\System32\spool\drivers\x64\%".

It looks like no DLL files are indexed in this table and the attack is based on loading malicious DLLs so the query won't help to detect the attack.

SELECT
meta_hostname AS ep_name,
filename,
path,
ctime,
sha1,
sha256,
file_size,
ml_score,
ml_score_data,
pua_score,
global_rep,
global_rep_data,
local_rep,
local_rep_data,
core_file_info
FROM xdr_data
WHERE
(path LIKE '$$SpoolDriver$$.dll')
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
reg1nleifr over 3 years ago in reply to Dennis Barnekow

I assume this is regarding the data lake query? Remember, you only have 7 days of data in the datalake (but you can schedule the query), also you will need to manually activate sending data to the data lake. Regarding activation of data lake uploads see: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/tasks/DataLakeUploads.html

KR
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Dennis Barnekow over 3 years ago in reply to reg1nleifr

Thanks for doublechecking.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
reg1nleifr over 3 years ago in reply to reg1nleifr

I checked it again on a dll that I created. And it seems like the DLL file changes aren't stored from all locations. Therefore you're right that you cannot detect the DLL IOCs with this query..
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Comment

reg1nleifr over 3 years ago in reply to reg1nleifr

I checked it again on a dll that I created. And it seems like the DLL file changes aren't stored from all locations. Therefore you're right that you cannot detect the DLL IOCs with this query..
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Children

Dennis Barnekow over 3 years ago in reply to reg1nleifr

Thanks for doublechecking.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Printnightmare Hunting Query (Data Lake)

Top Comments