CVE 2024 26234 And CVE 2024 29988
Query
// CVE-2024-26234 and CVE-2024-29988
// 🚨Patching Prioritization - Zero-Day Exploits🚨
// https://www.linkedin.com/posts/activity-7183738500502990848-9rdu/
// Using DefenderXDR Exposure Management to determine the list of devices accessible by critical identities holding highly privilege roles and that the devices are also vulnerable to both CVE-2024-26234 and CVE-2024-29988 that currently exploited in malware attacks. As critical identities are part of your organization attack surface areas holding keys to your tenant, plugging this hole significantly reduce your organization risk against the Zero-Day exploits. 🫡
let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and
NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| distinct NodeName;
let CriticalDevices =
ExposureGraphEdges
| where EdgeLabel == @"can authenticate to"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| extend DName = tostring(NodeProperties.rawData.deviceName)
| extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin
| where SourceNodeName has_any (CriticalIdentities)
| distinct DName;
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2024-26234" or CveId == "CVE-2024-29988"
| where DeviceName has_any (CriticalDevices)
// MITRE ATT&CK Mapping
// The KQL code is designed to identify critical identities and devices, and then check for specific vulnerabilities on those devices. The associated MITRE ATT&CK techniques include:
// T1078: Valid Accounts
// T1078.001: Valid Accounts: Local Accounts
// T1078.003: Valid Accounts: Local Administrator Accounts
// T1190: Exploit Public-Facing Application
// T1210: Exploitation of Remote ServicesExplanation
This query is designed to help prioritize patching efforts by identifying devices within an organization that are vulnerable to two specific zero-day exploits, CVE-2024-26234 and CVE-2024-29988. Here's a simplified breakdown of what the query does:
-
Identify Critical Identities: The query first identifies critical identities within the organization. These are users or accounts with high privilege roles that are crucial to the organization's security. The query filters out identities with a criticality level less than 4, indicating they are highly important.
-
Find Devices Accessible by Critical Identities: Next, the query looks for devices that these critical identities can authenticate to. It checks if these identities have local administrative rights on the devices, which could increase the risk if the devices are compromised.
-
Check for Vulnerabilities: The query then checks if these identified devices have vulnerabilities related to the two specific CVEs mentioned. These vulnerabilities are currently being exploited in malware attacks, making them a high priority for patching.
-
Reduce Organizational Risk: By identifying and addressing these vulnerabilities on critical devices, the organization can significantly reduce its risk of being exploited through these zero-day vulnerabilities.
-
MITRE ATT&CK Mapping: The query also maps the identified risks to specific MITRE ATT&CK techniques, which are frameworks used to understand and mitigate cybersecurity threats. The techniques include:
- T1078: Valid Accounts
- T1078.001: Local Accounts
- T1078.003: Local Administrator Accounts
- T1190: Exploit Public-Facing Application
- T1210: Exploitation of Remote Services
Overall, this query helps security teams focus their efforts on the most critical areas by identifying high-risk devices and ensuring they are patched against known vulnerabilities.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators