Defender XDR Exposure Management For CVE 2024 38021
Query
// DefenderXDR exposure management for CVE-2024-38021
// https://www.linkedin.com/posts/activity-7216965236816297984-sJRu/
// July's Patch Tuesday unveiled critical Outlook moniker RCE dubbed as CVE-2024-38021. Do you know who are your Entra organization critical identities running a vulnerable Outlook that susceptible moniker RCE ? Prioritize on your Entra critical identities Outlook remediation as they hold keys to your Entra kingdom!
// Advance Hunting KQL to check Entra critical identities running vulnerable outlook:
let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and
NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| distinct NodeName;
let CriticalDevices =
ExposureGraphEdges
| where EdgeLabel == @"can authenticate to"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| extend DName = tostring(NodeProperties.rawData.deviceName)
| extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin
| where SourceNodeName has_any (CriticalIdentities)
| distinct DName;
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2024-38021"
| where DeviceName has_any (CriticalDevices)
// MITRE ATT&CK Mapping
// The KQL code is designed to identify critical identities and devices, and then find devices with a specific vulnerability. The associated MITRE ATT&CK techniques include:
// T1078: Valid Accounts
// T1077: Windows Admin Shares
// T1190: Exploit Public-Facing Application
// T1203: Exploitation for Client ExecutionExplanation
This KQL query is designed to help identify and prioritize the remediation of critical identities within an organization that are at risk due to a specific vulnerability in Outlook, identified as CVE-2024-38021. Here's a simplified breakdown of what the query does:
-
Identify Critical Identities:
- The query first identifies critical identities within the organization by filtering nodes that are categorized as "identity" and have a criticality level below 4. These are considered important because they have significant access or roles within the organization.
-
Identify Devices Associated with Critical Identities:
- It then finds devices that these critical identities can authenticate to. This is done by looking at the relationships (edges) between identities and devices, specifically those where the identity has administrative rights on the device.
-
Check for Vulnerability:
- Finally, the query checks if any of these identified devices have the specific vulnerability (CVE-2024-38021) in Outlook. This helps in pinpointing which devices need immediate attention to mitigate the risk.
-
MITRE ATT&CK Mapping:
- The query also maps the identified risks to specific MITRE ATT&CK techniques, which are frameworks used to understand and categorize cyber threats. The techniques mentioned (T1078, T1077, T1190, T1203) relate to valid accounts, administrative shares, exploiting public-facing applications, and exploitation for client execution, respectively.
In summary, this query helps security teams focus their efforts on protecting the most critical parts of their organization by identifying vulnerable devices associated with high-risk identities, thereby reducing the potential impact of the vulnerability.
Details

Steven Lim
Released: August 25, 2024
Tables
ExposureGraphNodesExposureGraphEdgesDeviceTvmSoftwareVulnerabilities
Keywords
DefenderXDRExposureManagementCVEPatchTuesdayOutlookEntraOrganizationIdentitiesRemediationAdvanceHuntingCriticalDevicesDeviceTvmSoftwareVulnerabilitiesMITREATT&CKTechniques
Operators
letset_has_elementwhereisnotnulland<distinctjoinon==extendtostringhas_any