logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Finding Files on Systems - Used for Dell Vulnerability DSA-2021-088

Status: Approved Submitted by on ‎05-05-2021 01:02 PM

Description: Looks for a file called dbutil_2_3.sys in multiple directories (Windows / Users directories). This was used to find out which systems had a vulnerable file associated to a Dell firmware vulnerability: https://www.dell.com/support/kbdoc/en-us/000186019/dsa-2021-088-dell-client-platform-security-update... 

What The Data Shows: Provides back the filename and path it was found in.

SQL:

SELECT filename,path 
FROM file 
WHERE path = "C:\Windows\Temp\dbutil_2_3.sys" 
  OR path LIKE "C:\Users\%\AppData\Local\Temp\dbutil_2_3.sys";

Sexy updated (vulnerable) version from @jnelson 

SELECT filename,path,

  CASE 
    WHEN COUNT(*) > 0 THEN "TRUE"

    ELSE "FALSE"

  END "vulnerable"

FROM file

WHERE path = "C:\Windows\Temp\dbutil_2_3.sys"

  OR path LIKE "C:\Users\%\AppData\Local\Temp\dbutil_2_3.sys";

> Requirement: Windows Systems

 

Tags (1)
11 Comments
jnelson
Carbon Black Employee
‎05-07-2021 09:52 AM
‎05-07-2021 09:52 AM
Status changed to: Approved

@Justang Thanks for contributing to the Query Exchange! Might I suggest a small tweak to your query? From reading the article in your post, if the file is present then the system is vulnerable. I have added a CASE statement to state whether the system is vulnerable:

SELECT filename,path,
  CASE WHEN COUNT(*) > 0 THEN "TRUE"
    ELSE "FALSE"
  END "vulnerable"
FROM file
WHERE path = "C:\Windows\Temp\dbutil_2_3.sys"
  OR path LIKE "C:\Users\%\AppData\Local\Temp\dbutil_2_3.sys";
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.