KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Cve Exploit For Vulnerable Device

Query

# *Detect CVE exploits on network for which a device is vulnerable*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1203 | Exploitation for Client Execution | https://attack.mitre.org/techniques/T1203/ |
| T1068 | Exploitation for Privilege Escalation | https://attack.mitre.org/techniques/T1068/ |
| T1210 | Exploitation of Remote Services | https://attack.mitre.org/techniques/T1210/ |

#### Description
This detection query can be used to find specific CVE exploits passing on the wire for which the device is vulnerable. This query should have a very high TP rate, and can be considered as a 'High severity' query.

#### Risk
Detection of CVE exploits depends on the CVE detections Microsoft included in the Zeek engine of MDE.

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://hybridbrothers.com/analyzing-mde-network-inspections/
## Defender XDR
```KQL
// Get all the TVM data
let tvm_data = DeviceTvmSoftwareVulnerabilities
| distinct DeviceName, SoftwareName, SoftwareVendor, SoftwareVersion, CveId, VulnerabilitySeverityLevel;
// Get CVE signatures on the network
DeviceNetworkEvents
| where ActionType contains "NetworkSignatureInspected"
| extend AdditionalFields = todynamic(AdditionalFields)
| extend SignatureName = tostring(AdditionalFields.SignatureName),
    SignatureMatchedContent = tostring(AdditionalFields.SignatureMatchedContent),
    SamplePacketContent = tostring(AdditionalFields.SamplePacketContent)
| where SignatureName contains "CVE"
// Join the TVM data of the related device
| join kind=inner tvm_data on DeviceName
// Check if the server is vulnerable to the detected CVE in network traffic
| where SignatureName == CveId
| project-away DeviceName1
```

## Sentinel
```KQL
N/A
```

Explanation

This query is designed to identify potential security threats on a network by detecting known vulnerabilities (CVE exploits) that are actively being exploited. Here's a simplified breakdown of what the query does:

  1. Collect Vulnerability Data: It first gathers information about software vulnerabilities on devices within the network. This includes details like the device name, software name, version, and the specific CVE (Common Vulnerabilities and Exposures) ID associated with each vulnerability.

  2. Monitor Network Traffic: The query then examines network events to identify any traffic that matches known CVE signatures. This involves inspecting network packets for specific patterns or signatures that indicate an exploit attempt.

  3. Match Vulnerabilities with Network Events: It cross-references the detected network signatures with the vulnerability data to find instances where a device on the network is vulnerable to a CVE that is currently being exploited in the network traffic.

  4. Filter Relevant Results: Finally, it filters the results to show only those cases where there is a match between the CVE signature detected in the network traffic and the vulnerabilities present on the devices.

Overall, this query helps in identifying and alerting on high-severity security threats by detecting when a device on the network is being targeted by an exploit for which it is known to be vulnerable.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 26, 2025

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceNetworkEvents

Keywords

DevicesNetworkVulnerabilitiesCVESoftware

Operators

letdistinctcontainsextendtodynamictostringjoinkind=inneron==project-away

Actions