Detect CVE 2024 31497
Query
// Detect CVE-2024-31497
// https://www.linkedin.com/posts/activity-7185927077483708416-qNtB/
// To check if you have a 521-bit ECDSA key in PuTTY, you can use the following command in the PuTTY terminal (Look for ecdsa-sha2-nistp521)
// ssh-keygen -l -f ~/.ssh/id_ecdsa
// KQL to check for impacted putty installation.
DeviceTvmSoftwareInventory
| where SoftwareName contains "putty"
| where SoftwareVersion contains "0.68" or SoftwareVersion contains "0.69" or SoftwareVersion contains "0.70" or SoftwareVersion contains "0.71" or SoftwareVersion contains "0.72" or SoftwareVersion contains "0.73" or SoftwareVersion contains "0.74" or SoftwareVersion contains "0.75" or
SoftwareVersion contains "0.76" or SoftwareVersion contains "0.77" or SoftwareVersion contains "0.78" or SoftwareVersion contains "0.79" or SoftwareVersion contains "0.80"
// MITRE ATT&CK Mapping
// The detection of specific software versions, especially those known to have vulnerabilities, can be associated with several MITRE ATT&CK techniques. Here are some relevant techniques:
// T1082 - System Information Discovery: Adversaries may attempt to get a listing of software installed on a system to identify potential vulnerabilities1.
// T1518.001 - Software Discovery: This technique involves adversaries querying the software installed on a system to find vulnerabilities they can exploit2.
// T1070.004 - File Deletion: If an adversary identifies vulnerable software, they might attempt to delete logs or other files to cover their tracks3.Explanation
This KQL query is designed to identify installations of the PuTTY software on devices that might be vulnerable to a specific security issue, CVE-2024-31497. The query searches through a database of software inventories on devices to find instances of PuTTY with versions ranging from 0.68 to 0.80. These versions are potentially impacted by the vulnerability.
The query is part of a security assessment process to detect and mitigate risks associated with known vulnerabilities. It also references the MITRE ATT&CK framework, which is a model for understanding the actions adversaries might take. Specifically, it relates to:
- T1082 - System Information Discovery: Adversaries might look for software installed on a system to identify vulnerabilities.
- T1518.001 - Software Discovery: This involves searching for software on a system to find exploitable vulnerabilities.
- T1070.004 - File Deletion: Adversaries might delete files or logs to hide their activities after identifying vulnerable software.
The query helps security teams identify and address potential security risks associated with outdated or vulnerable software installations.
