Created
January 15, 2020 16:15
-
-
Save terracatta/83fb19fa97d2ca8cce93e1c32fe730b2 to your computer and use it in GitHub Desktop.
Osquery Detection for the presence of the patch that fixes CVE 2020 0601 and ensures the device was restarted
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| WITH | |
| split_date AS | |
| (SELECT *, | |
| Split(installed_on, '/', 0) AS month, | |
| Split(installed_on, '/', 1) AS day, | |
| Split(installed_on, '/', 2) AS year | |
| FROM patches), | |
| leading_zeroes AS ( | |
| SELECT *, | |
| (SELECT local_time FROM time) AS local_time, | |
| (SELECT total_seconds FROM uptime) AS total_seconds, | |
| ('0' || CAST(month AS text)) AS month_zero, | |
| ('0' || CAST(day AS text)) AS day_zero, | |
| year | |
| FROM split_date), | |
| date_reconstruct AS ( | |
| SELECT *, | |
| (year | |
| || '-' || | |
| SUBSTR(month_zero, -2) | |
| || '-' || | |
| SUBSTR(day_zero, -2)) | |
| || ' 00:00:01' | |
| AS install_date_utc | |
| FROM leading_zeroes), | |
| restart_check AS ( | |
| SELECT *, | |
| CASE WHEN datetime(local_time - total_seconds, 'unixepoch') > install_date_utc | |
| THEN 'true' | |
| ELSE 'false' | |
| END AS restart_since_install | |
| FROM date_reconstruct) | |
| SELECT 'true' AS CVE_2020_0601_patched, | |
| hotfix_id, | |
| description, | |
| caption, | |
| installed_by, | |
| installed_on, | |
| restart_since_install | |
| FROM restart_check WHERE hotfix_id IN ( | |
| 'KB4534306', | |
| 'KB4534271', | |
| 'KB4534276', | |
| 'KB4534293', | |
| 'KB4534273', | |
| 'KB4528760'); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment