logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Finding Files on Systems - Used for Dell Vulnerability DSA-2021-088

Status: Approved Submitted by on ‎05-05-2021 01:02 PM

Description: Looks for a file called dbutil_2_3.sys in multiple directories (Windows / Users directories). This was used to find out which systems had a vulnerable file associated to a Dell firmware vulnerability: https://www.dell.com/support/kbdoc/en-us/000186019/dsa-2021-088-dell-client-platform-security-update... 

What The Data Shows: Provides back the filename and path it was found in.

SQL:

SELECT filename,path 
FROM file 
WHERE path = "C:\Windows\Temp\dbutil_2_3.sys" 
  OR path LIKE "C:\Users\%\AppData\Local\Temp\dbutil_2_3.sys";

Sexy updated (vulnerable) version from @jnelson 

SELECT filename,path,

  CASE 
    WHEN COUNT(*) > 0 THEN "TRUE"

    ELSE "FALSE"

  END "vulnerable"

FROM file

WHERE path = "C:\Windows\Temp\dbutil_2_3.sys"

  OR path LIKE "C:\Users\%\AppData\Local\Temp\dbutil_2_3.sys";

> Requirement: Windows Systems

 

Tags (1)
Comment
11 Comments
mrpeters22
Contributor III
‎05-06-2021 07:02 AM
‎05-06-2021 07:02 AM

This is working great for me so far in our environment! Thanks!!

knumata
New Contributor
‎05-06-2021 01:12 PM
‎05-06-2021 01:12 PM

Thanks for this but quick question.  When I run this from the search bar on the Investigate tab I receive the following error:

Your query is invalid. Ensure a value is included and slashes, colons, and spaces are manually escaped.

Should I be running this somewhere else?

Thanks in advance!

Justang
New Contributor II
‎05-06-2021 01:18 PM
‎05-06-2021 01:18 PM

@knumata Underneath Investigation, there's Live Query > New Query

It runs it as an osquery on each system, ensure you are at CB version 3.5 and over or osquery can hang and cause some resource issues.

If you don't set a Policy or endpoint it runs against everything.

cblizzard
New Contributor III
‎05-06-2021 01:29 PM
‎05-06-2021 01:29 PM

Excellent! Thank you. So if the vulnerability is not found the result of "0" or "No match" found is expected else file name and path are shown? 

Thanks again.

Justang
New Contributor II
‎05-06-2021 01:37 PM
‎05-06-2021 01:37 PM

Correct, @cblizzard, well not whether the vulnerability is actually present, but if the file is there or not.

I tested it first on my system while not having the file, 'No Match', then I just created a file named dbutil_2_3.sys in one of those two directories and it says where it was matched. 

knumata
New Contributor
‎05-06-2021 01:40 PM
‎05-06-2021 01:40 PM

Strange.  I don't see a Live Query option.  Is it possibly not available on Endpoint Standard?

Justang
New Contributor II
‎05-06-2021 01:43 PM
‎05-06-2021 01:43 PM

@knumata Yes I believe it's a feature that you may have to pay for, in my opinion it's one of the best features they've added and I recommend it.

We've been wanting to add osquery to all our systems, but were having issues with osquery on the Windows environment. CB seems to have got it down now.

knumata
New Contributor
‎05-06-2021 01:46 PM
‎05-06-2021 01:46 PM

@Justang  Gotcha.  Thanks for the replies!

cblizzard
New Contributor III
‎05-06-2021 01:47 PM
‎05-06-2021 01:47 PM

Yes, Knumata it is called "Live Query" and I agree it is one of the best features for threat hunting. 

https://www.carbonblack.com/blog/carbon-black-edrs-all-new-live-query-capability-and-enhanced-filele...

 

knumata
New Contributor
‎05-06-2021 01:51 PM
‎05-06-2021 01:51 PM

@cblizzard Thanks!  I'll reach out to our sales rep about the EDR upgrade.

logo