Volver al hub

CVE-2025-1146 - System Scoping using OsVersionInfo & Logon Data

The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the event OsVersionInfo which is generated every 24-hours, at sensor start, or at sensor update. It attempts to merge in LogonType 2 and 10 to determine the last logged on user.

EDRmonitoring
FDR intermediatepor CrowdStrike (cql-hub.com) 4 min read

Query

/* 

The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. 

The query is based on the event OsVersionInfo which is generated every 24-hours, at sensor start, or at sensor update.   

It attempts to merge in LogonType 2 and 10 to determine the last logged on user.

*/
 
// Get OsVersionInfo events; sent by sensor every 24-hours or at sensor start or update
#event_simpleName=OsVersionInfo
 
// Narrow search to only include Linux, Container, and K8 systems
| in(field="event_platform", values=[Lin, K8S])

// Enrich required fields from aid_master_main.csv
| aid=~match(file="aid_master_main.csv", column=[aid], include=[ProductType, Version, MAC, SystemManufacturer, SystemProductName, FirstSeen, Time], strict=false)
 
// Parse AgentVersion into individual components for evaluation
| AgentVersion=/^(?<majorVersion>\d+)\.(?<minorVersion>\d+)\.(?<buildNumber>\d+)\./
 
// Evaluate Linux Container Sensors
| case {
    event_platform=Lin ProductType=Pod majorVersion=6                                 | Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
    event_platform=Lin ProductType=Pod majorVersion=7 minorVersion<=5                 | Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
    event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=6  buildNumber<4705| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
    event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=10 buildNumber<4907| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
    event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=11 buildNumber<5003| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
    event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=12 buildNumber<5102| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
    event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=13 buildNumber<5202| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
    event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=14 buildNumber<5306| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
    event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=15 buildNumber<5403| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
    event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=16 buildNumber<5503| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
    event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=17 buildNumber<5603| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
    event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=18 buildNumber<5705| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
    event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=19 buildNumber<5807| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
    event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=20 buildNumber<5908| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
    event_platform=Lin ProductType=Pod                                                | Status:="OK"          | event_platform:="Lin (Pod)";
    *;
}
// Evaluate Linux Sensors
| case {
    event_platform=Lin majorVersion=6                                  | Status:="NEEDS PATCH";
    event_platform=Lin majorVersion=7 minorVersion<=5                  | Status:="NEEDS PATCH";
    event_platform=Lin majorVersion=7 minorVersion=6 buildNumber<16113 | Status:="NEEDS PATCH";
    event_platform=Lin majorVersion=7 minorVersion=7 buildNumber<16209 | Status:="NEEDS PATCH";
    event_platform=Lin majorVersion=7 minorVersion=10 buildNumber<16321| Status:="NEEDS PATCH";
    event_platform=Lin majorVersion=7 minorVersion=11 buildNumber<16410| Status:="NEEDS PATCH";
    event_platform=Lin majorVersion=7 minorVersion=13 buildNumber<16606| Status:="NEEDS PATCH";
    event_platform=Lin majorVersion=7 minorVersion=14 buildNumber<16705| Status:="NEEDS PATCH";
    event_platform=Lin majorVersion=7 minorVersion=15 buildNumber<16806| Status:="NEEDS PATCH";
    event_platform=Lin majorVersion=7 minorVersion=16 buildNumber<16909| Status:="NEEDS PATCH";
    event_platform=Lin majorVersion=7 minorVersion=17 buildNumber<17014| Status:="NEEDS PATCH";
    event_platform=Lin majorVersion=7 minorVersion=18 buildNumber<17131| Status:="NEEDS PATCH";
    event_platform=Lin majorVersion=7 minorVersion=19 buildNumber<17221| Status:="NEEDS PATCH";
    event_platform=Lin majorVersion=7 minorVersion=20 buildNumber<17308| Status:="NEEDS PATCH";
    event_platform=Lin                                                 | Status:="OK";
    *;
}
// Evaluate K8 Sensors
| case {
    event_platform=K8S majorVersion=6                                 | Status:="NEEDS PATCH";
    event_platform=K8S majorVersion=7 minorVersion<=5                 | Status:="NEEDS PATCH";
    event_platform=K8S majorVersion=7 minorVersion=6 buildNumber<603  | Status:="NEEDS PATCH";
    event_platform=K8S majorVersion=7 minorVersion=10 buildNumber<806 | Status:="NEEDS PATCH";
    event_platform=K8S majorVersion=7 minorVersion=11 buildNumber<904 | Status:="NEEDS PATCH";
    event_platform=K8S majorVersion=7 minorVersion=12 buildNumber<1002| Status:="NEEDS PATCH";
    event_platform=K8S majorVersion=7 minorVersion=13 buildNumber<1102| Status:="NEEDS PATCH";
    event_platform=K8S majorVersion=7 minorVersion=14 buildNumber<1203| Status:="NEEDS PATCH";
    event_platform=K8S majorVersion=7 minorVersion=16 buildNumber<1403| Status:="NEEDS PATCH";
    event_platform=K8S majorVersion=7 minorVersion=17 buildNumber<1503| Status:="NEEDS PATCH";
    event_platform=K8S majorVersion=7 minorVersion=18 buildNumber<1605| Status:="NEEDS PATCH";
    event_platform=K8S majorVersion=7 minorVersion=20 buildNumber<1808| Status:="NEEDS PATCH";
    event_platform=K8S                                                | Status:="OK";
    *;
}
 
// Aggregate results into tabular format
| groupBy([cid, aid], function=([selectLast([cid, cid, ComputerName, event_platform, Version, AgentVersion, Status, aip, LocalAddressIP4, MAC, SystemManufacturer, SystemProductName, FirstSeen, Time])]), limit=max)

// Add user logon data if available
| join(query={#event_simpleName=UserLogon LogonType=/^(2|10)$/ event_platform=Lin | groupBy([aid], function=[(selectLast([UserName, UID, LogonType]))])}, field=[aid], include=[UserName, UID, LogonType], start=7d, mode=left)
 
// Modify field names for easier reading
| rename([[cid, "Customer ID"],[aid, "Agent ID"], [event_platform, Platform], [aip, "External IP"]])

// Aggregate results into tabular format with cleaner ordering
| groupBy(["Customer ID", "Agent ID", ComputerName, UserName, UID, LogonType, Platform, Version, AgentVersion, Status, "External IP", LocalAddressIP4, MAC, SystemManufacturer, SystemProductName, FirstSeen, Time], function=[], limit=max)
 
// Set default values for easier reading
| default(value="-", field=[ComputerName, Version, AgentVersion, Status, LocalAddressIP4, MAC, SystemManufacturer, SystemProductName, FirstSeen, Time, UID, UserName, LogonType], replaceEmpty=true)

// Move LogonType to human readable
| case {
    LogonType=2 | LogonType:="Interactive";
    LogonType=10| LogonType:="SSH";
    *;
}
 
// Move timestamps from epoch to human readable
| formatTime(format="%F %T", as="FirstSeen", field=FirstSeen)
| formatTime(format="%F %T", as="LastSeen", field=Time) 

// Remove unnecessary field
| drop([Time])

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.