KQL Search

Query Details

HomeAI ToolsDevice Query

Defender XDR Exposure Management For CVE 2024 38021

Query

// DefenderXDR exposure management for CVE-2024-38021
// https://www.linkedin.com/posts/activity-7216965236816297984-sJRu/

// July's Patch Tuesday unveiled critical Outlook moniker RCE dubbed as CVE-2024-38021. Do you know who are your Entra organization critical identities running a vulnerable Outlook that susceptible moniker RCE ? Prioritize on your Entra critical identities Outlook remediation as they hold keys to your Entra kingdom!

// Advance Hunting KQL to check Entra critical identities running vulnerable outlook:

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and
NodeProperties.rawData.criticalityLevel.criticalityLevel < 4 
| distinct NodeName;
let CriticalDevices =
ExposureGraphEdges 
| where EdgeLabel == @"can authenticate to"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| extend DName = tostring(NodeProperties.rawData.deviceName)
| extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin
| where SourceNodeName has_any (CriticalIdentities)
| distinct DName;
DeviceTvmSoftwareVulnerabilities 
| where CveId == "CVE-2024-38021"
| where DeviceName has_any (CriticalDevices)

Explanation

This KQL query is designed to identify critical identities within an organization that are running a vulnerable version of Outlook susceptible to the CVE-2024-38021 Remote Code Execution (RCE) vulnerability. Here's a simplified breakdown of what the query does:

  1. Identify Critical Identities:

    • It first looks for critical identities within the organization's exposure graph nodes.
    • These identities are filtered based on their criticality level, specifically those with a criticality level less than 4. - The distinct names of these critical identities are stored.

  2. Identify Devices Used by Critical Identities:

    • It then examines the exposure graph edges to find devices that these critical identities can authenticate to.
    • It joins this information with the exposure graph nodes to get the device names and checks if the user has local admin rights on these devices.
    • The distinct names of these devices are stored.

  3. Check for Vulnerable Outlook Installations:

    • Finally, it checks the list of devices to see if they have any software vulnerabilities related to CVE-2024-38021. - It filters the devices to find those running the vulnerable version of Outlook.

In summary, this query helps prioritize the remediation of Outlook installations on devices used by critical identities within the organization, ensuring that these key users are protected from the CVE-2024-38021 vulnerability.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

ExposureGraphNodesExposureGraphEdgesDeviceTvmSoftwareVulnerabilities

Keywords

DefenderXDRExposureManagementCVEPatchTuesdayOutlookRCEEntraOrganizationIdentitiesRemediationHuntingKQL

Operators

let|whereset_has_elementisnotnulland<distinct==joinon$left==$rightextendtostringhas_any

Actions