Query Details
Defending Against Windows Internet Shortcut Files Security Feature Bypass Vulnerability CVE 2024 21412
Query
//Defending against Windows Internet Shortcut Files Security Feature Bypass Vulnerability (CVE-2024-21412) //https://www.linkedin.com/pulse/defending-against-windows-internet-shortcut-files-security-steven-lim-tbnoe/ UrlClickEvents | where Timestamp > ago (1h) | where UrlChain matches regex "https?://.+\\.url(\\?.*)?(#.*)?$"
Explanation
This query is designed to help defend against a specific security vulnerability (CVE-2024-21412) related to Windows Internet Shortcut Files.
Here's a simple breakdown of what the query does:
- Source Table: It looks at the
UrlClickEventstable, which presumably logs events where URLs are clicked. - Time Filter: It filters the events to only include those that occurred within the last hour (
Timestamp > ago(1h)). - URL Pattern Matching: It further filters these events to find URLs that match a specific pattern using a regular expression. The pattern looks for URLs that:
- Start with "http" or "https" (
https?://) - Contain any characters after that (
.+) - End with ".url" and may optionally include query parameters (
\\?.*) or fragments (#.*).
- Start with "http" or "https" (
In summary, this query identifies URL click events from the past hour where the URLs match the pattern of potentially malicious Windows Internet Shortcut Files.
Details
Steven Lim
Released: August 2, 2024
Tables
UrlClickEvents
Keywords
UrlClickEventsTimestampUrlChain
Operators
agomatches regexwhere>|