Under Review

Printnightmare Hunting Query (Live Discovery/Windows)

Similar to the Data Lake Query (which seems to be having issues since it's not detecting all dll files in all folders) we've also created a Live-Discovery Query for Windows Systems on the Printnightmare Vulnerability. The Query could be scheduled via the API and run on all endpoints. The results will show hashes, fileinfo and Sophos Reputation Data if there is any.

As input for the printernightmare you should use: 'C:\Windows\System32\spool\drivers\x64\%' as well a proper date input for the startTime, which works on the modified date.

KR,

reg1nleifr

SELECT
   f.path,
   f.directory,
   filename,
   md5,
   h.sha1,
   p.sha256,
   mlScore,
   puaScore,
   localRep,
   globalRep,
   fileSize,
   uid,
   gid,
   size,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(atime,'unixepoch')) atime,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(mtime,'unixepoch')) mtime,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(ctime,'unixepoch')) ctime,
   strftime('%Y-%m-%dT%H:%M:%SZ', datetime(btime,'unixepoch')) btime,
   hard_links,
   symlink,
   type,
   attributes
FROM file f
JOIN sophos_file_properties p
   on f.path = p.pathname
JOIN hash h
   on f.path = h.path
WHERE
    mtime > $$startTime$$
    AND (f.path LIKE '$$filePath$$%' AND 
    (filename like '%.dll' OR filename like '%.exe'))
    AND (filename) not like 'fx%.dll'