KQL Search

Query Details

HomeAI ToolsDevice Query

Custom Detection For CVE 2024 38200 NTL Mv2 Hash Exposure

Query

// Custom Detection for CVE-2024-38200 NTLMv2 Hash Exposure 🎫

// https://github.com/passtheticket/CVE-2024-38200

// CVE-2024-38200 is a high-severity spoofing vulnerability in Microsoft Office. This flaw allows attackers to exploit a weakness in Microsoft Office, potentially exposing sensitive information such as NTLM hashes (NTLMv2) to unauthorized actors. The vulnerability affects multiple versions of Microsoft Office, including Office 2016, Office 2019, and the Office Long Term Servicing Channel (LTSC) 2021. It was discovered by Metin Yunus Kandemir (passtheticket), and the proof of concept (POC) and details are shared below.
// Although the vulnerability was addressed in the August 2024 security updates for Microsoft Office, organizations without automated patching solutions may still be exposed. If you use Microsoft Defender for Office 365, you can create a custom detection on DefenderXDR to identify potential abuse of this vulnerability. I have shared the KQL for this detection on my GitHub.

let OfficeURIs = dynamic(["ms-word:", "ms-powerpoint:", "ms-excel:", "ms-visio:", "ms-access:", "ms-project:", "ms-publisher:", "ms-spd:", "ms-infopath:"]);
let OfficeURICommands = dynamic(["ofv", "ofe"]);
UrlClickEvents
| where ActionType == @"ClickAllowed"
| where UrlChain has_any (OfficeURIs) and UrlChain has_any (OfficeURICommands)
| project Timestamp, ReportId, AccountUpn, IPAddress,  Workload, UrlChain

// MITRE ATT&CK
// Technique: User Execution (T1204)
// Sub-technique: Malicious File (T1204.002)
// Technique: Application Layer Protocol (T1071)
// Sub-technique: Web Protocols (T1071.001)

Explanation

This KQL query is designed to detect potential exploitation of a high-severity vulnerability (CVE-2024-38200) in Microsoft Office, which could expose NTLMv2 hashes. Here's a simple summary of what the query does:

  1. Context: CVE-2024-38200 is a spoofing vulnerability in Microsoft Office that can expose sensitive information like NTLMv2 hashes. It affects multiple Office versions and was patched in August 2024. Organizations without automated patching might still be at risk.

  2. Purpose: The query aims to identify instances where this vulnerability might be exploited by monitoring specific URL clicks in Microsoft Defender for Office 365.

  3. Steps in the Query:

    • Define Office URIs: Lists the URI schemes for various Office applications (e.g., ms-word:, ms-excel:).
    • Define Commands: Lists specific commands associated with these URIs (e.g., "ofv", "ofe").
    • Filter Events: Looks at URL click events where the action was allowed (ClickAllowed).
    • Check URL Chain: Filters events where the URL chain contains any of the Office URIs and commands.
    • Project Data: Outputs relevant details such as timestamp, report ID, user account, IP address, workload, and the URL chain.

  4. MITRE ATT&CK Techniques:

    • User Execution (T1204): Indicates that the technique involves user actions.
    • Malicious File (T1204.002): Specifies that the user action involves a malicious file.
    • Application Layer Protocol (T1071): Indicates the use of application layer protocols.
    • Web Protocols (T1071.001): Specifies the use of web protocols.

In essence, this query helps organizations detect potential abuse of the CVE-2024-38200 vulnerability by monitoring specific URL clicks related to Office applications, thereby identifying possible exposure of NTLMv2 hashes.

Details

Steven Lim profile picture

Steven Lim

Released: September 29, 2024

Tables

UrlClickEvents

Keywords

DevicesIntuneUserSecurityOfficeVulnerabilityDetectionMicrosoftDefenderUrlIPAddressWorkloadMITREATTACK

Operators

letdynamic|where==has_anyandproject

Actions