Hunting Query we've used for detecting suspicious processes exploiting the SeriousSAM Vulnerability. Depending on your environment you might see plenty false positives. A good idea might be to add valid processes to the query based on the sha256 value.
-- $$startTime$$ DATE
-- $$endTime$$ DATE
SELECT
strftime('%Y-%m-%dT%H:%M:%SZ', datetime(sfj.time,'unixepoch')) dateTime,
spj.processName,
CASE sfj.eventType
WHEN 0 THEN 'Created'
WHEN 1 THEN 'Renamed'
WHEN 2 THEN 'Deleted'
WHEN 3 THEN 'Modified'
WHEN 4 THEN 'HardLink Created'
WHEN 5 THEN 'Timestamps Modified'
WHEN 6 THEN 'Permissions Modified'
WHEN 7 THEN 'Ownership Modified'
WHEN 8 THEN 'Accessed'
WHEN 9 THEN 'Binary File Mapped'
END eventType,
replace(sfj.pathname, rtrim(sfj.pathname, replace(sfj.pathname, '\', '')), '') fileName,
spj.pathname processPath,
sfj.pathname filePath,
sfj.sophosPID,
spj.sha256,
spp.mlScore,
spp.puaScore,
spp.localRep,
spp.globalRep
FROM sophos_file_journal sfj
LEFT JOIN sophos_process_journal spj
ON spj.sophosPID = sfj.sophosPID
AND spj.time = replace(sfj.sophosPID, rtrim(sfj.sophosPID, replace(sfj.sophosPID , ':', '')), '')/10000000-11644473600
LEFT JOIN sophos_process_properties spp
ON spp.sophosPID = spj.sophosPID
WHERE sfj.pathname LIKE '\Device\HarddiskVolumeShadowCopy%\Windows\System32\config\%'
AND sfj.time > $$startTime$$
AND sfj.time < $$endTime$$
ORDER BY sfj.time DESC
KR, reg1nleifr
-
Sophos User4747
-
Cancel
-
Vote Up
0
Vote Down
-
-
More
-
Cancel
Comment-
Sophos User4747
-
Cancel
-
Vote Up
0
Vote Down
-
-
More
-
Cancel
Children