KQL Search

Query Details

HomeAI ToolsDevice Query

CVE 2024 26234 And CVE 2024 29988

Query

//  CVE-2024-26234 and CVE-2024-29988
// 🚨Patching Prioritization - Zero-Day Exploits🚨
// https://www.linkedin.com/posts/activity-7183738500502990848-9rdu/

// Using DefenderXDR Exposure Management to determine the list of devices accessible by critical identities holding highly privilege roles and that the devices are also vulnerable to both CVE-2024-26234 and CVE-2024-29988 that currently exploited in malware attacks. As critical identities are part of your organization attack surface areas holding keys to your tenant, plugging this hole significantly reduce your organization risk against the Zero-Day exploits. 🫡

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and
NodeProperties.rawData.criticalityLevel.criticalityLevel < 4 
| distinct NodeName;
let CriticalDevices =
ExposureGraphEdges 
| where EdgeLabel == @"can authenticate to"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| extend DName = tostring(NodeProperties.rawData.deviceName)
| extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin
| where SourceNodeName has_any (CriticalIdentities)
| distinct DName;
DeviceTvmSoftwareVulnerabilities 
| where CveId == "CVE-2024-26234" or CveId == "CVE-2024-29988"
| where DeviceName has_any (CriticalDevices)

Explanation

This query is designed to identify devices within an organization that are both accessible by highly privileged identities and vulnerable to two specific security vulnerabilities (CVE-2024-26234 and CVE-2024-29988). Here's a simplified breakdown:

  1. Identify Critical Identities:

    • The query first finds all identities (users) that are considered critical, meaning they have a high level of privilege but a criticality level less than 4.

  2. Find Devices Accessible by Critical Identities:

    • It then identifies devices that these critical identities can authenticate to, especially focusing on those where the user has local admin rights.

  3. Check for Vulnerabilities:

    • Finally, it checks if these devices are vulnerable to the specified CVEs (CVE-2024-26234 and CVE-2024-29988).

The purpose of this query is to prioritize patching these devices to reduce the risk of exploitation by malware, as these vulnerabilities are currently being exploited in attacks. This helps in securing the organization's critical infrastructure by addressing potential security holes.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

ExposureGraphNodesExposureGraphEdgesDeviceTvmSoftwareVulnerabilities

Keywords

Devices

Operators

let|whereset_has_elementisnotnulland<distinct==joinon$left==$rightextendtostringhas_anyor

Actions