Query Details
CVE 2024 38200 NTLM Exposure Detection
Query
// CVE-2024-38200 NTLM Exposure Detection // Linkedin Post: https://www.linkedin.com/posts/0x534c_microsoft-discloses-unpatched-office-flaw-activity-7229115791139348480-X_Hi/ // Microsoft has disclosed a high-severity vulnerability affecting Office 2016 that could expose NTLM hashes to a remote attacker. Microsoft's exploitability assessment says that exploitation of CVE-2024-38200 is less likely, MITRE has tagged the likelihood of exploitation for this type of weakness as highly probable. // The below KQL uses DefenderXDR Exposure Management to check the presence of NTLM hash on the endpoint and if it successfully made an outbound NTLM authentication to internet public IP which indicates high probability of NTLM hash exposure. Upon detection, SecOps should request user to change credential as a precaution until the endpoint is patched. let EndpointWithNTLMHash = ExposureGraphEdges | where EdgeLabel == @"has credentials of" | where EdgeProperties.rawData.ntlmHash.ntlmHash == "true" | distinct SourceNodeName; let VulnerableEndpoint = DeviceTvmSoftwareInventory | where SoftwareName contains "office_" and SoftwareVendor == "microsoft" | where DeviceName has_any (EndpointWithNTLMHash) | distinct DeviceName; DeviceNetworkEvents | where RemotePort == "445" and RemoteIPType == "Public" | where ActionType == "ConnectionSuccess" | where DeviceName has_any (VulnerableEndpoint) // MSRC - Microsoft Office Spoofing Vulnerability (Recently Updated) // https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38200 // https://www.bleepingcomputer.com/news/security/microsoft-discloses-unpatched-office-flaw-that-exposes-ntlm-hashes/
Explanation
This KQL query is designed to detect potential exposure of NTLM hashes due to a high-severity vulnerability (CVE-2024-38200) in Microsoft Office 2016. Here's a simplified breakdown of what the query does:
-
Identify Endpoints with NTLM Hashes:
- It searches for endpoints that have NTLM hashes present using the
ExposureGraphEdgestable.
- It searches for endpoints that have NTLM hashes present using the
-
Check for Vulnerable Software:
- It then checks if these endpoints have Microsoft Office 2016 installed by querying the
DeviceTvmSoftwareInventorytable.
- It then checks if these endpoints have Microsoft Office 2016 installed by querying the
-
Detect Outbound NTLM Authentication:
- Finally, it looks for successful outbound NTLM authentication attempts to public IP addresses on port 445, which indicates a high probability of NTLM hash exposure. This is done using the
DeviceNetworkEventstable.
- Finally, it looks for successful outbound NTLM authentication attempts to public IP addresses on port 445, which indicates a high probability of NTLM hash exposure. This is done using the
If such activity is detected, it suggests that the NTLM hashes might have been exposed, and the security operations team should request the affected users to change their credentials as a precaution until the endpoint is patched.
Details
Steven Lim
Released: August 13, 2024
Tables
ExposureGraphEdgesDeviceTvmSoftwareInventoryDeviceNetworkEvents
Keywords
DevicesIntuneUserExposureManagementNTLMHashEndpointSecOpsCredentialSoftwareInventoryNetworkEventsMicrosoftOfficeVulnerability
Operators
let|==containshas_anydistinct