|THM Room: Velociraptor|
Hunt for a nightmare
Objective: Use Velociraptor to create an artifact to detect the PrintNightmare vulnerability!
Luckily there is an artifact entry in the Artifact Exchange. To avoid just copy/pasting the artifact, you will need to construct a very simple VQL query.
Below are steps to construct your VQL query to find the DLL:
Selectclause, the column accessors should be fullpath (concatenate
C:/to the fullpath column accessor) and filename.
Make sure the column headers for each column accessor are renamed. Fullpath should be
Full_Path, and for filename it should be
parse_pe()to ensure only PE files are returned. (Check the VQL Reference)
Make sure the column header for this plugin should be renamed to PE.
Fromclause should use
Whereclause should not return any directories, only return binaries (PE files) and search the directory where this malicious DLL will most likely be found.
SELECT "C:/" + FullPath AS *********,FileName AS *********,parse_pe(file="C:/" + FullPath) AS ** FROM parse_mft(filename="C:/$***", accessor="****") WHERE *** IsDir AND FullPath =~ "Windows/System32/spool/drivers" AND **
Note: You will need to start Velociraptor in “Instant Velociraptor” mode. The instructions to do so can be found here. The virtual machine attached to this task is running Velociraptor version 0.6.2.
SELECT "C:/" + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file="C:/" + FullPath) AS PE FROM parse_mft(filename="C:/$MFT", accessor="ntfs") WHERE NOT IsDir AND FullPath =~ "Windows/System32/spool/drivers" AND PE
What is the name in the Artifact Exchange to detect Printnightmare?
What is your Select clause? (no spaces after commas)
SELECT "C:/" + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file="C:/" + FullPath) AS PE
What is the name of the DLL that was placed by the attacker? and What is the PDB entry?