Query Details

Critical Identities With Zero Day Chrome Vulnerability

Query

// Critical identities with zero-day Chrome vulnerability
// CVE-2025-4664 Chrome flaw with public exploit
// https://www.bleepingcomputer.com/news/security/cisa-tags-recently-patched-chrome-bug-as-actively-exploited-zero-day/
// https://www.bleepingcomputer.com/news/security/google-fixes-high-severity-chrome-flaw-with-public-exploit/

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and
NodeProperties.rawData.criticalityLevel.criticalityLevel < 4 
| distinct NodeName;
let AdminDevices =
ExposureGraphEdges 
| where EdgeLabel == "can authenticate to"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| extend DName = tostring(NodeProperties.rawData.deviceName)
| extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin
| where SourceNodeName has_any (CriticalIdentities)
| distinct DName;
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessVersionInfoProductName == "Google Chrome"
| where ProcessVersionInfoProductVersion != "136.0.7103.114" and
ProcessVersionInfoProductVersion != "136.0.7103.113"
| summarize arg_max(Timestamp, *) by DeviceId
| where DeviceName has_any(AdminDevices)

Explanation

This query is designed to identify critical identities that might be at risk due to a specific zero-day vulnerability in Google Chrome. Here's a simplified breakdown of what the query does:

  1. Identify Critical Identities:

    • It looks for identities (users or accounts) marked as critical within a system, specifically those with a criticality level less than 4.
  2. Find Devices Administered by Critical Identities:

    • It identifies devices that these critical identities can authenticate to, especially where they have local admin rights.
  3. Check for Vulnerable Chrome Versions:

    • It examines recent device process events (from the last 30 days) to find instances of Google Chrome running on these devices.
    • It filters out devices running the secure versions of Chrome (versions "136.0.7103.114" and "136.0.7103.113"), focusing on those with older, potentially vulnerable versions.
  4. Output Devices at Risk:

    • Finally, it lists devices that are both administered by critical identities and running a vulnerable version of Chrome.

The goal is to pinpoint devices that are at risk due to the Chrome vulnerability, especially those managed by critical identities, so that appropriate security measures can be taken.

Details

Steven Lim profile picture

Steven Lim

Released: May 17, 2025

Tables

ExposureGraphNodesExposureGraphEdgesDeviceProcessEvents

Keywords

CriticalIdentitiesDevicesChromeVulnerabilityExploitAdminDeviceProcessEventsTimestampVersionInfoProductNameId

Operators

let|whereset_has_elementisnotnulland<distinct==joinonextendtostringhas_any!=summarizearg_maxby

Actions

GitHub