THM Room: Velociraptor |
Hunt for a nightmare (Volatility)
Objective: Use Velociraptor to create an artifact to detect the PrintNightmare vulnerability!
Luckily there is an artifact entry in the Artifact Exchange. To avoid just copy/pasting the artifact, you will need to construct a very simple VQL query.
Below are steps to construct your VQL query to find the DLL:
The
Select
clause, the column accessors should be fullpath (concatenateC:/
to the fullpath column accessor) and filename.Make sure the column headers for each column accessor are renamed. Fullpath should be
Full_Path
, and for filename it should beFile_Name
.Use
parse_pe()
to ensure only PE files are returned. (Check the VQL Reference)Make sure the column header for this plugin should be renamed to PE.
The
From
clause should useparse_mft()
.The
Where
clause should not return any directories, only return binaries (PE files) and search the directory where this malicious DLL will most likely be found.
Skeleton Query:
SELECT "C:/" + FullPath AS *********,FileName AS *********,parse_pe(file="C:/" + FullPath) AS **
FROM parse_mft(filename="C:/$***", accessor="****")
WHERE *** IsDir
AND FullPath =~ "Windows/System32/spool/drivers"
AND **
Note: You will need to start Velociraptor in “Instant Velociraptor” mode. The instructions to do so can be found here. The virtual machine attached to this task is running Velociraptor version 0.6.2.
Query:
SELECT "C:/" + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file="C:/" + FullPath) AS PE FROM parse_mft(filename="C:/$MFT", accessor="ntfs")
WHERE NOT IsDir
AND FullPath =~ "Windows/System32/spool/drivers"
AND PE
Questions
What is the name in the Artifact Exchange to detect Printnightmare?
Windows.Detection.PrintNightmare
What is your Select clause? (no spaces after commas)
SELECT "C:/" + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file="C:/" + FullPath) AS PE
What is the name of the DLL that was placed by the attacker? and What is the PDB entry?
nightmare.dll resp C:\Users\caleb\source\repos\nightmare\x64\Release\nightmare.pdb |