Built off the open source project Osquery
Description: Looks for a file called dbutil_2_3.sys in multiple directories (Windows / Users directories). This was used to find out which systems had a vulnerable file associated to a Dell firmware vulnerability: https://www.dell.com/support/kbdoc/en-us/000186019/dsa-2021-088-dell-client-platform-security-update...
What The Data Shows: Provides back the filename and path it was found in.
SELECT filename,path FROM file WHERE path = "C:\Windows\Temp\dbutil_2_3.sys" OR path LIKE "C:\Users\%\AppData\Local\Temp\dbutil_2_3.sys";
Sexy updated (vulnerable) version from @jnelson
CASE WHEN COUNT(*) > 0 THEN "TRUE"
WHERE path = "C:\Windows\Temp\dbutil_2_3.sys"
OR path LIKE "C:\Users\%\AppData\Local\Temp\dbutil_2_3.sys";
> Requirement: Windows Systems
This is working great for me so far in our environment! Thanks!!
Thanks for this but quick question. When I run this from the search bar on the Investigate tab I receive the following error:
Your query is invalid. Ensure a value is included and slashes, colons, and spaces are manually escaped.
Should I be running this somewhere else?
Thanks in advance!
@knumata Underneath Investigation, there's Live Query > New Query
It runs it as an osquery on each system, ensure you are at CB version 3.5 and over or osquery can hang and cause some resource issues.
If you don't set a Policy or endpoint it runs against everything.
Excellent! Thank you. So if the vulnerability is not found the result of "0" or "No match" found is expected else file name and path are shown?
Correct, @cblizzard, well not whether the vulnerability is actually present, but if the file is there or not.
I tested it first on my system while not having the file, 'No Match', then I just created a file named dbutil_2_3.sys in one of those two directories and it says where it was matched.
Strange. I don't see a Live Query option. Is it possibly not available on Endpoint Standard?
@knumata Yes I believe it's a feature that you may have to pay for, in my opinion it's one of the best features they've added and I recommend it.
We've been wanting to add osquery to all our systems, but were having issues with osquery on the Windows environment. CB seems to have got it down now.
@Justang Gotcha. Thanks for the replies!
Yes, Knumata it is called "Live Query" and I agree it is one of the best features for threat hunting.
@cblizzard Thanks! I'll reach out to our sales rep about the EDR upgrade.