CVE 2024 7971 Patch Prioritization
Query
// CVE-2024-7971 Patch Prioritization
//Google has addressed a high-severity Chrome vulnerability that is currently being actively exploited. It’s crucial to identify which of your global administrators are using a vulnerable version of Chrome, especially if their credential cookies are stored on their endpoints. Given that threat actors are exploiting this flaw, it’s strongly recommended to patch the global admin endpoints immediately to significantly reduce the attack surface.
let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel)
and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| where NodeProperties has "Global Administrator"
| distinct NodeName;
let VulnerableEndPointwithBCookie =
ExposureGraphEdges
| where EdgeLabel == @"has credentials of"
| where EdgeProperties has "BrowserCookies"
| where TargetNodeName has_any (CriticalIdentities)
| distinct SourceNodeName;
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2024-7971"
| where DeviceName has_any (VulnerableEndPointwithBCookie)
// MITRE ATT&CK Mapping
// T1078.004: Valid Accounts: Cloud Accounts
// T1539: Steal Web Session Cookie
// T1190: Exploit Public-Facing Application
//These mappings help in understanding the potential tactics and techniques adversaries might use, based on the identified vulnerabilities and critical identities in your environment.Explanation
This query is designed to help prioritize patching for a specific high-severity vulnerability in Google Chrome, identified as CVE-2024-7971, which is actively being exploited. The goal is to identify and prioritize patching for devices used by global administrators who are at higher risk due to this vulnerability.
Here's a simplified breakdown of the query:
-
Identify Critical Identities:
- The query first identifies global administrators within the organization who have a criticality level below 4, indicating they are of high importance or risk.
-
Find Vulnerable Endpoints:
- It then checks for devices (endpoints) that store credential cookies for these critical global administrators. This is important because if these cookies are stored on a vulnerable version of Chrome, they could be exploited by attackers.
-
Check for Vulnerability:
- Finally, it filters devices that have the specific Chrome vulnerability (CVE-2024-7971) and are associated with the identified vulnerable endpoints.
-
MITRE ATT&CK Mapping:
- The query also references specific MITRE ATT&CK techniques that relate to the vulnerability, helping to understand the potential tactics and techniques adversaries might use. These include:
- T1078.004: Valid Accounts: Cloud Accounts
- T1539: Steal Web Session Cookie
- T1190: Exploit Public-Facing Application
- The query also references specific MITRE ATT&CK techniques that relate to the vulnerability, helping to understand the potential tactics and techniques adversaries might use. These include:
The overall recommendation is to immediately patch the identified vulnerable endpoints used by global administrators to reduce the risk of exploitation.
Details

Steven Lim
Released: August 25, 2024
Tables
ExposureGraphNodesExposureGraphEdgesDeviceTvmSoftwareVulnerabilities
Keywords
ExposuregraphnodesNodepropertiesCriticalidentitiesExposuregraphedgesEdgepropertiesTargetnodenameSourcenodenameDevicetvmsoftwarevulnerabilitiesDevicenameCveidCategoriesIdentityGlobalAdministratorBrowsercookies
Operators
let|whereset_has_elementisnotnulland<hasdistinct==has_any