Find vulnerable Dell driver, dbutil_2_3.sys

# Find vulnerable Dell driver, dbutil_2_3.sys

This query was originally published in the threat analytics report, *Multiple EOP flaws in Dell driver (CVE-2021-21551)*.

[CVE-2021-21551](https://nvd.nist.gov/vuln/detail/CVE-2021-21551) is a vulnerability found in dbutil_2_3.sys, a driver distributed with Dell firmware updates and tools. Attackers can exploit this vulnerability to escalate privileges on a compromised device. The following query can detect if the affected driver has been added to a device's \temp folders.

## Query

```kusto
DeviceFileEvents 
| where SHA256 in ("0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5","ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1","552c297d6d7992f8b95287ac6e16f2169b6e629cb6ae0ee42036f093c36142d4","4c727e430fb72f6942768cd1662b4aefda32f10bde43c7232da6713bb5c98bc0","87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3")
| where FolderPath has_any (@"C:\Windows\Temp\",@"C:\Temp\")

```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access |  |  |
| Execution |  |  |
| Persistence |  |  |
| Privilege escalation | v |  |
| Defense evasion |  |  |
| Credential Access |  |  |
| Discovery |  |  |
| Lateral movement |  |  |
| Collection |  |  |
| Command and control |  |  |
| Exfiltration |  |  |
| Impact |  |  |
| Vulnerability |  |  |
| Exploit |  |  |
| Misconfiguration |  |  |
| Malware, component |  |  |
| Ransomware |  |  |

## Contributor info

**Contributor:** Microsoft Threat Protection team