Query Details

Domain Controllers With The Most Vulnerabilities

Query

let AllDomainControllers =
     DeviceNetworkEvents
     | where LocalPort == 88
     | where LocalIPType == "FourToSixMapping"
     | summarize make_set(DeviceId);
DeviceTvmSoftwareVulnerabilities
| where DeviceId has_any (AllDomainControllers)
| summarize TotalVulnerabilities = count(), VulnerabeCVE = make_set(CveId) by DeviceName
| sort by TotalVulnerabilities
// Join with random event to get the required fields if you want to detect on this behaviour, the DeviceTvmSoftwareVulnerabilities does not contain the needed events. Ignore the process tree and only look at the raw events.
//  join kind=inner (DeviceEvents
//| where Timestamp > ago(30d)
//| summarize arg_max(Timestamp, *) by DeviceId
//| project DeviceId, Timestamp, ReportId) on DeviceId

About this query

Domain Controllers with the most vulnerabilities


Defender XDR

Explanation

This query is designed to identify domain controllers with the most software vulnerabilities using Microsoft Defender XDR data. Here's a simplified breakdown of what the query does:

  1. Identify Domain Controllers:

    • The query first identifies domain controllers by looking for network events where the local port is 88 (commonly used for Kerberos authentication) and the IP type indicates a "FourToSixMapping."
    • It collects the unique device IDs of these domain controllers into a set called AllDomainControllers.
  2. Find Vulnerabilities:

    • It then checks the DeviceTvmSoftwareVulnerabilities table for any vulnerabilities associated with the domain controllers identified in the first step.
    • For each domain controller, it counts the total number of vulnerabilities and compiles a list of unique CVE (Common Vulnerabilities and Exposures) IDs.
  3. Sort Results:

    • The results are sorted by the total number of vulnerabilities, allowing you to see which domain controllers have the most vulnerabilities.
  4. Additional Context (Commented Out):

    • There's a commented-out section suggesting a potential enhancement: joining this data with recent device events to get additional context, such as timestamps and report IDs. This part is not executed in the current query but is suggested for further analysis if needed.

Overall, this query helps security analysts quickly identify which domain controllers in their network are most at risk due to software vulnerabilities.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEventsDeviceTvmSoftwareVulnerabilities

Keywords

DeviceNetworkEventsLocalPortIPTypeTvmSoftwareVulnerabilitiesNameCveIdTimestampReport

Operators

let==summarizemake_sethas_anycountbysort

Actions

GitHub