KQL Search

Query Details

HomeAI ToolsDevice Query

Critical Identities With Zero Day Chrome Vulnerability

Query

// Critical identities with zero-day Chrome vulnerability
// CVE-2025-4664 Chrome flaw with public exploit
// https://www.bleepingcomputer.com/news/security/cisa-tags-recently-patched-chrome-bug-as-actively-exploited-zero-day/
// https://www.bleepingcomputer.com/news/security/google-fixes-high-severity-chrome-flaw-with-public-exploit/

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and
NodeProperties.rawData.criticalityLevel.criticalityLevel < 4 
| distinct NodeName;
let AdminDevices =
ExposureGraphEdges 
| where EdgeLabel == @"can authenticate to"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| extend DName = tostring(NodeProperties.rawData.deviceName)
| extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin
| where SourceNodeName has_any (CriticalIdentities)
| distinct DName;
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessVersionInfoProductName == "Google Chrome"
| where ProcessVersionInfoProductVersion != "136.0.7103.114"
| summarize arg_max(Timestamp, *) by DeviceId
| where DeviceName has_any(AdminDevices)

Explanation

This KQL query is designed to identify critical identities that might be at risk due to a specific zero-day vulnerability in Google Chrome (CVE-2025-4664). Here's a simplified breakdown of what the query does:

  1. Identify Critical Identities:

    • It first selects nodes from a graph database that are categorized as "identity" and have a criticality level less than 4 (indicating high importance or risk).
    • It then collects the names of these critical identities.

  2. Find Devices Administered by Critical Identities:

    • It looks for edges in the graph database where there is a relationship labeled "can authenticate to," indicating that an identity can log into a device.
    • It joins this information with device nodes to get the device names and checks if the identity has local admin rights on these devices.
    • It filters this list to include only those devices that critical identities can authenticate to.

  3. Detect Vulnerable Chrome Installations:

    • It searches for device process events from the last 30 days where the product name is "Google Chrome."
    • It filters out any Chrome installations that are not on the version "136.0.7103.114," which is presumably the patched version.
    • It summarizes these events to get the most recent event per device.

  4. Output:

    • Finally, it checks if any of these devices with outdated Chrome versions are administered by the critical identities identified earlier.

In essence, the query is identifying devices that are potentially vulnerable to a known Chrome exploit and are administered by critical identities, highlighting a potential security risk.

Details

Steven Lim profile picture

Steven Lim

Released: May 17, 2025

Tables

ExposureGraphNodesExposureGraphEdgesDeviceProcessEvents

Keywords

CriticalIdentitiesCategoriesNodePropertiesNodeNameAdminDevicesEdgeLabelEdgePropertiesSourceNodeNameDeviceProcessEventsTimestampProcessVersionInfoProductNameProcessVersionInfoProductVersionDeviceIdDeviceName

Operators

let|whereset_has_elementisnotnulland<distinct==joinon$left==$rightextendtostringhas_anysummarizearg_maxby>!=

Actions