Approved

SeriousSam/HiveNightmare Hunting Query (Live Endpoint)

Hunting Query we've used for detecting suspicious processes exploiting the SeriousSAM Vulnerability. Depending on your environment you might see plenty false positives. A good idea might be to add valid processes to the query based on the sha256 value.

-- $$startTime$$ DATE
-- $$endTime$$ DATE

SELECT    
    strftime('%Y-%m-%dT%H:%M:%SZ', datetime(sfj.time,'unixepoch')) dateTime,
    spj.processName,
    CASE sfj.eventType
        WHEN 0 THEN 'Created'
        WHEN 1 THEN 'Renamed'
        WHEN 2 THEN 'Deleted'
        WHEN 3 THEN 'Modified'
        WHEN 4 THEN 'HardLink Created'
        WHEN 5 THEN 'Timestamps Modified'
        WHEN 6 THEN 'Permissions Modified'
        WHEN 7 THEN 'Ownership Modified'
        WHEN 8 THEN 'Accessed'
        WHEN 9 THEN 'Binary File Mapped'
    END eventType,
    replace(sfj.pathname, rtrim(sfj.pathname, replace(sfj.pathname, '\', '')), '') fileName,
    spj.pathname processPath,
    sfj.pathname filePath,
    sfj.sophosPID,
    spj.sha256,
    spp.mlScore,
    spp.puaScore,
    spp.localRep,
    spp.globalRep
FROM sophos_file_journal sfj
LEFT JOIN sophos_process_journal spj 
    ON spj.sophosPID = sfj.sophosPID
    AND spj.time = replace(sfj.sophosPID, rtrim(sfj.sophosPID, replace(sfj.sophosPID  , ':', '')), '')/10000000-11644473600
LEFT JOIN sophos_process_properties spp 
    ON spp.sophosPID = spj.sophosPID
WHERE sfj.pathname LIKE '\Device\HarddiskVolumeShadowCopy%\Windows\System32\config\%'
    AND sfj.time > $$startTime$$
    AND sfj.time < $$endTime$$
ORDER BY sfj.time DESC

KR, reg1nleifr

Parents Comment Children
No Data