Device Known Ransomware Vuln

//Query the list of Known Exploited Vulnerabilities provided by CISA - https://www.cisa.gov/known-exploited-vulnerabilities-catalog and find any devices that have vulnerabilities known to be used with ransomware //Data connector required for this query - Advanced Hunting license let KEV= externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, knownRansomwareCampaignUse:string,notes:string) [ h@'https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv' ] with(format='csv',ignorefirstrecord=true); DeviceTvmSoftwareVulnerabilities | project DeviceName, OSPlatform, cveID=CveId | join kind=inner KEV on cveID | where knownRansomwareCampaignUse =~ "Known" | summarize ['Vulnerabilities']=make_set(cveID) by DeviceName | extend ['Count of Known Exploited Vulnerabilities'] = array_length(['Vulnerabilities']) | sort by ['Count of Known Exploited Vulnerabilities'] //This version looks specifically for internet facing devices let KEV= externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, knownRansomwareCampaignUse:string,notes:string) [ h@'https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv' ] with(format='csv',ignorefirstrecord=true); let publicdevices= DeviceInfo | where IsInternetFacing | summarize arg_max(Timestamp, *) by DeviceId | distinct DeviceName; DeviceTvmSoftwareVulnerabilities | project DeviceName, OSPlatform, cveID=CveId | join kind=inner KEV on cveID | where knownRansomwareCampaignUse =~ "Known" | where DeviceName in (publicdevices) | summarize ['Vulnerabilities']=make_set(cveID), ['Count of Known Exploited Vulnerabilities']=dcount(cveID) by DeviceName

Explanation

The query is searching for devices that have vulnerabilities known to be used with ransomware. It uses a data connector to access a list of known exploited vulnerabilities provided by CISA. The query joins the list of vulnerabilities with the DeviceTvmSoftwareVulnerabilities table and filters for vulnerabilities that are known to be used in ransomware campaigns. It then summarizes the number of known exploited vulnerabilities for each device and sorts the results.

There is also a version of the query that specifically looks for internet-facing devices. It uses the IsInternetFacing property in the DeviceInfo table to filter for public devices before joining with the list of vulnerabilities. The results are then summarized and sorted.

Details

Matt Zorich

Released: October 18, 2023

Tables

DeviceTvmSoftwareVulnerabilities

Keywords

Keywords:Devices,Intune,User,KnownExploitedVulnerabilities,CISA,Ransomware,Dataconnector,AdvancedHuntinglicense,DeviceTvmSoftwareVulnerabilities,DeviceName,OSPlatform,cveID,join,knownRansomwareCampaignUse,summarize,make_set,array_length,sort,InternetFacing,publicdevices,DeviceInfo,IsInternetFacing,Timestamp,DeviceId,distinct,dcount

Operators

externaldataprojectjoinwheresummarizeextendsortdistinctdcount

KQL Search