KQL Search

Query Details

HomeAI ToolsDevice Query

Defending Against CVE 2024 21413 Outlook Moniker Link Bug Abuse

Query

//Defending against CVE-2024-21413 Outlook MonikerLink Bug Abuse
//https://www.linkedin.com/pulse/defending-against-cve-2024-21413-outlook-monikerlink-bug-steven-lim-wesac/

let VulnerableEndpoints =
DeviceTvmSoftwareVulnerabilities 
| where CveId == "CVE-2024-21413"
| project DeviceId;
DeviceProcessEvents
| where FileName=="OUTLOOK.EXE"
| join DeviceNetworkEvents on DeviceId
| where DeviceId has_any(VulnerableEndpoints)
| where RemotePort == 445
| where RemoteIPType=="Public"
| where ActionType1=="ConnectionSuccess"
| project Timestamp, DeviceName, AccountUpn, ActionType1, RemoteIP

Explanation

This KQL (Kusto Query Language) query is designed to identify and defend against the CVE-2024-21413 vulnerability, specifically related to the Outlook MonikerLink bug. Here's a simplified summary of what the query does:

  1. Identify Vulnerable Devices:

    • It first looks for devices that have the CVE-2024-21413 vulnerability by checking the DeviceTvmSoftwareVulnerabilities table.
    • It extracts the DeviceId of these vulnerable devices.

  2. Monitor Outlook Activity:

    • It then checks the DeviceProcessEvents table for processes where the FileName is "OUTLOOK.EXE".
    • It joins this data with the DeviceNetworkEvents table using the DeviceId.

  3. Filter for Specific Network Activity:

    • It filters the results to include only those devices that are in the list of vulnerable endpoints.
    • It further narrows down the results to network events where:
      • The RemotePort is 445 (commonly used for SMB/CIFS network file sharing).
      • The RemoteIPType is "Public" (indicating the connection is to a public IP address).
      • The ActionType1 is "ConnectionSuccess" (indicating a successful connection).

  4. Output Relevant Information:

    • Finally, it projects (selects) the relevant columns: Timestamp, DeviceName, AccountUpn (user account), ActionType1, and RemoteIP.

In essence, this query helps to identify instances where vulnerable devices running Outlook have successfully connected to a public IP on port 445, which could indicate potential exploitation of the CVE-2024-21413 vulnerability.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceProcessEventsDeviceNetworkEvents

Keywords

DeviceTvmSoftwareVulnerabilitiesDeviceProcessEventsDeviceNetworkEventsDeviceIdFileNameRemotePortRemoteIPTypeActionTypeTimestampDeviceNameAccountUpnRemoteIP

Operators

let==|projectjoinonhas_any========project

Actions