XQL Query for CVE-2021-1675 exploitation attempts (printnightmare)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XQL Query for CVE-2021-1675 exploitation attempts (printnightmare)

L7 Applicator

Hi Community

 

I need some help in creating an XQL query for a BIOC which detects exploitation attempts for CVE-2021-1675 (printnightmare). So far I have the following two queries:

1. A query that detects incoming connections on port 445

dataset = xdr_data
| filter event_type = NETWORK and event_sub_type = NETWORK_STREAM_ACCEPT and (action_local_port = 139 or action_local_port = 445)
| fields event_type, agent_hostname as Hostname, action_local_ip as Local_IP, action_remote_ip as Remote_IP, action_external_hostname as Remote_Host, action_local_port as Local_Port, actor_process_image_name as Process_Getting_Connection

2. a query to view driverinstallations done by the print spooler service

dataset = xdr_data
| filter causality_actor_process_image_path = "C:\Windows\System32\spoolsv.exe" and actor_process_image_path = "C:\Windows\System32\drvinst.exe"
| fields agent_hostname as host_name, causality_actor_process_image_name as CGO_Name, causality_actor_process_image_path as CGO_Path, causality_actor_process_command_line as CGO_CMD, causality_actor_primary_username as Username, actor_process_image_path as child_path, actor_process_command_line as child_cmd, actor_process_os_pid as child_pid, actor_process_image_sha256 as child_sha256, actor_process_execution_time as start_date, event_id

Now I'd like to combine them somehow in order so get an alert for incoming connections over SMB which result in a driverinstallation done by the print spooler service. Has anyone done something similar or is able to help me with this XQL query?

 

Thanks in advance,

Remo

5 REPLIES 5

L4 Transporter

Hi Remo! If it helps, take a look at our blog post on PrintNightmare for suggested XQL queries: https://www.paloaltonetworks.com/blog/security-operations/hunting-printnightmare/

 

 

Hi @kcross 

Thanks for sharing that link. This definately helps already.

Even if there are already some queries shared by Paloalto, I am still interested if my initial query is possible with this combination.

L2 Linker

@Remo wrote:

Hi Community

 

I need some help in creating an XQL query for a BIOC which detects exploitation attempts for CVE-2021-1675 (printnightmare). So far I have the following two queries:

1. A query that detects incoming connections on port 445

 

 

dataset = xdr_data
| filter event_type = NETWORK and event_sub_type = NETWORK_STREAM_ACCEPT and (action_local_port = 139 or action_local_port = 445)
| fields event_type, agent_hostname as Hostname, action_local_ip as Local_IP, action_remote_ip as Remote_IP, action_external_hostname as Remote_Host, action_local_port as Local_Port, actor_process_image_name as Process_Getting_Connection

 

 

2. a query to view driverinstallations done by the print spooler service

 

 

dataset = xdr_data
| filter causality_actor_process_image_path = "C:\Windows\System32\spoolsv.exe" and actor_process_image_path = "C:\Windows\System32\drvinst.exe"
| fields agent_hostname as host_name, causality_actor_process_image_name as CGO_Name, causality_actor_process_image_path as CGO_Path, causality_actor_process_command_line as CGO_CMD, causality_actor_primary_username as Username, actor_process_image_path as child_path, actor_process_command_line as child_cmd, actor_process_os_pid as child_pid, actor_process_image_sha256 as child_sha256, actor_process_execution_time as start_date, event_id

 

 

Now I'd like to combine them somehow in order so get an alert for incoming connections over SMB which result in a driverinstallation done by the print spooler service. Has anyone done something similar or is able to help me with this XQL query?

 

Thanks in advance,

Remo


 

Hello Remo,

 

You can combine both queries with an union statement.  Here is an example union statement; 

 

XQL Helper Screenshot:

yalonso_0-1625251254867.png

 

Also, I've taken the liberty of combining your queries using the union statement

 

dataset = xdr_data
| filter event_type = NETWORK and event_sub_type = NETWORK_STREAM_ACCEPT and (action_local_port = 139 or action_local_port = 445)
| fields event_type, agent_hostname as Hostname, action_local_ip as Local_IP, action_remote_ip as Remote_IP, action_external_hostname as Remote_Host, action_local_port as Local_Port, actor_process_image_name as Process_Getting_Connection
| union (dataset = xdr_data
| filter causality_actor_process_image_path = "C:\Windows\System32\spoolsv.exe" and actor_process_image_path = "C:\Windows\System32\drvinst.exe"
| fields agent_hostname as host_name, causality_actor_process_image_name as CGO_Name, causality_actor_process_image_path as CGO_Path, causality_actor_process_command_line as CGO_CMD, causality_actor_primary_username as Username, actor_process_image_path as child_path, actor_process_command_line as child_cmd, actor_process_os_pid as child_pid, actor_process_image_sha256 as child_sha256, actor_process_execution_time as start_date, event_id)

 

 

Hi @yalonso 

Thank you for your reply. I tried this command shortly but unfortunately this gives way too much results. Mainly because it simply shows all results from both queries in one resulttable. My goal still somehow is to search for driverinstallations by spoolsv.exe that are triggered from a remote host.

L3 Networker

You may have to tweak your queries to combine by using "join". Here's a sample of join 

jcandelaria_0-1626485737372.png

 

  • 5896 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!