Query Details

Exposure Management Slims Metric Max CVSS DAW

Query

//Exposure Management - Slim's Metric (MaxCVSS-DAW)
//https://www.linkedin.com/posts/activity-7178429122094772224-aK3e/

//Maximum CVSS for Domain Admin Workstations. A favorite KQL wish list for all CISO 😜 Secure your "keys" to your kingdom before it gets breached!

//KQL Code:

ExposureGraphNodes
| where NodeProperties.rawData.criticalityLevel contains "Domain Admin Workstations"
| where isnotnull(NodeProperties.rawData.highRiskVulnerabilityInsights)
| extend MaxCvssScore = toreal(NodeProperties.rawData.highRiskVulnerabilityInsights.maxCvssScore)
| sort by MaxCvssScore desc

// MITRE ATT&CK Mapping

// The KQL query focuses on identifying high-risk vulnerabilities on Domain Admin Workstations, which can be mapped to several MITRE ATT&CK techniques:

// T1078 - Valid Accounts:
// Description: Adversaries may use valid accounts to maintain access to systems.
// Relevance: Domain Admin Workstations are critical assets, and vulnerabilities here could be exploited to gain or maintain access.
// T1068 - Exploitation for Privilege Escalation:
// Description: Adversaries may exploit vulnerabilities to elevate their privileges.
// Relevance: High-risk vulnerabilities with high CVSS scores could be exploited for privilege escalation.
// T1210 - Exploitation of Remote Services:
// Description: Adversaries may exploit vulnerabilities in remote services to execute code.
// Relevance: Vulnerabilities on Domain Admin Workstations could be targeted to exploit remote services.
// T1190 - Exploit Public-Facing Application:
// Description: Adversaries may exploit vulnerabilities in public-facing applications.
// Relevance: If Domain Admin Workstations have public-facing applications, these vulnerabilities could be exploited.

Explanation

This KQL query is designed to identify and prioritize high-risk vulnerabilities on Domain Admin Workstations, which are critical assets in a network. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at data from ExposureGraphNodes, which contains information about various nodes (or devices) in a network.

  2. Filtering:

    • It filters the data to focus specifically on "Domain Admin Workstations," which are computers used by domain administrators and are crucial for network security.
    • It further filters to include only those workstations that have high-risk vulnerabilities.
  3. Calculating Risk:

    • It calculates the maximum Common Vulnerability Scoring System (CVSS) score for each workstation. The CVSS score is a standardized way to measure the severity of software vulnerabilities.
  4. Sorting:

    • It sorts the workstations by their maximum CVSS score in descending order, meaning the most severe vulnerabilities appear first.

The query is particularly useful for cybersecurity professionals, like CISOs, to quickly identify and address the most critical vulnerabilities that could potentially be exploited by attackers.

Additionally, the query is mapped to several MITRE ATT&CK techniques, which are common tactics and techniques used by adversaries. These mappings help in understanding the potential impact and exploitation methods related to the identified vulnerabilities:

  • T1078 - Valid Accounts: Highlights the risk of attackers using legitimate accounts to access systems.
  • T1068 - Exploitation for Privilege Escalation: Points out the danger of vulnerabilities being used to gain higher access rights.
  • T1210 - Exploitation of Remote Services: Warns about vulnerabilities that could be exploited to run unauthorized code on remote services.
  • T1190 - Exploit Public-Facing Application: Concerns about vulnerabilities in applications that are accessible from outside the network.

Overall, this query helps in securing critical systems by prioritizing the remediation of the most severe vulnerabilities.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

ExposureGraphNodes

Keywords

ExposureManagementDomainAdminWorkstationsVulnerabilitiesMITREATT&CKTechniques

Operators

|wherecontainsisnotnullextendtorealsort bydesc

MITRE Techniques

Actions

GitHub