The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Finding Files on Systems - Used for Dell Vulnerability DSA-2021-088

Description: Looks for a file called dbutil_2_3.sys in multiple directories (Windows / Users directories). This was used to find out which systems had a vulnerable file associated to a Dell firmware vulnerability: https://www.dell.com/support/kbdoc/en-us/000186019/dsa-2021-088-dell-client-platform-security-update... 

What The Data Shows: Provides back the filename and path it was found in.

SQL:

SELECT filename,path 
FROM file
WHERE path = "C:\Windows\Temp\dbutil_2_3.sys"
  OR path LIKE "C:\Users\%\AppData\Local\Temp\dbutil_2_3.sys";

Sexy updated (vulnerable) version from @jnelson 

SELECT filename,path,

  CASE
    WHEN COUNT(*) > 0 THEN "TRUE"
    ELSE "FALSE"
  END "vulnerable"
FROM file
WHERE path = "C:\Windows\Temp\dbutil_2_3.sys"
  OR path LIKE "C:\Users\%\AppData\Local\Temp\dbutil_2_3.sys";

> Requirement: Windows Systems

 

Tags (1)
11 Comments
mrpeters22
Contributor III

This is working great for me so far in our environment! Thanks!!

knumata
New Contributor

Thanks for this but quick question.  When I run this from the search bar on the Investigate tab I receive the following error:

Your query is invalid. Ensure a value is included and slashes, colons, and spaces are manually escaped.

Should I be running this somewhere else?

Thanks in advance!

Justang
New Contributor II

@knumata Underneath Investigation, there's Live Query > New Query

It runs it as an osquery on each system, ensure you are at CB version 3.5 and over or osquery can hang and cause some resource issues.

If you don't set a Policy or endpoint it runs against everything.

cblizzard
New Contributor III

Excellent! Thank you. So if the vulnerability is not found the result of "0" or "No match" found is expected else file name and path are shown? 

Thanks again.

Justang
New Contributor II

Correct, @cblizzard, well not whether the vulnerability is actually present, but if the file is there or not.

I tested it first on my system while not having the file, 'No Match', then I just created a file named dbutil_2_3.sys in one of those two directories and it says where it was matched. 

knumata
New Contributor

Strange.  I don't see a Live Query option.  Is it possibly not available on Endpoint Standard?

Justang
New Contributor II

@knumata Yes I believe it's a feature that you may have to pay for, in my opinion it's one of the best features they've added and I recommend it.

We've been wanting to add osquery to all our systems, but were having issues with osquery on the Windows environment. CB seems to have got it down now.

knumata
New Contributor

@Justang  Gotcha.  Thanks for the replies!

cblizzard
New Contributor III

Yes, Knumata it is called "Live Query" and I agree it is one of the best features for threat hunting. 

https://www.carbonblack.com/blog/carbon-black-edrs-all-new-live-query-capability-and-enhanced-filele...

 

knumata
New Contributor

@cblizzard Thanks!  I'll reach out to our sales rep about the EDR upgrade.