Exposure Management Cloud Or On Prem VDI Platform Blast Radius
Query
// Exposure Management: Cloud or On-Prem VDI Blast Radius
// https://www.linkedin.com/posts/0x534c_defenderxdr-exposuremanagement-attackpath-activity-7228066647335387137-dDBd/
// The following KQL query leverages the DefenderXDR ExposureGraphEdges schema to analyze workstations that permit multiple user logons. After identifying cloud or on-premises virtual desktop infrastructure (VDI), it scans the DeviceTvmSoftwareVulnerabilities for critical and high CVEs linked to these multi-user logons. Remember, unpatched workstations with numerous users significantly increase your attack surface. This KQL query helps you assess the associated blast radius of your VDI attack surface if not managed properly.🎯
let AVDs =
ExposureGraphEdges
| where EdgeLabel == "can authenticate as"
| summarize UserLogonCount=count() by SourceNodeName
| where UserLogonCount > 3
| distinct SourceNodeName;
DeviceTvmSoftwareVulnerabilities
| where VulnerabilitySeverityLevel == "Critical"
or VulnerabilitySeverityLevel == "High"
| where DeviceName has_any (AVDs)
// #DefenderXDR #ExposureManagement #AttackPath #BlastRadius
// MITRE ATT&CK Mapping
// T1078 - Valid Accounts:
// The query looks for users who can authenticate as other users, which aligns with the use of valid accounts for lateral movement or persistence.
// T1078.001 - Valid Accounts: Local Accounts:
// If the accounts identified are local accounts, this sub-technique is relevant.
// T1078.002 - Valid Accounts: Domain Accounts:
// If the accounts identified are domain accounts, this sub-technique is relevant.
// T1078.003 - Valid Accounts: Cloud Accounts:
// If the accounts identified are cloud accounts, this sub-technique is relevant.
// T1087 - Account Discovery:
// The process of identifying accounts that can authenticate as other users can be seen as account discovery.
// T1087.001 - Account Discovery: Local Account:
// If the accounts are local, this sub-technique is relevant.
// T1087.002 - Account Discovery: Domain Account:
// If the accounts are domain accounts, this sub-technique is relevant.
// T1087.003 - Account Discovery: Cloud Account:
// If the accounts are cloud accounts, this sub-technique is relevant.
// T1210 - Exploitation of Remote Services:
// The query identifies devices with critical or high vulnerabilities, which could be exploited for remote access.
// T1069 - Permission Groups Discovery:
// Identifying users with specific permissions can be related to discovering permission groups.Explanation
This KQL query is designed to help you understand the potential security risks associated with virtual desktop infrastructure (VDI), whether it's cloud-based or on-premises. Here's a simplified breakdown:
-
Identify Risky Workstations: The query first looks for workstations that allow multiple users to log in (more than three users). These are identified as potentially risky because more users mean a larger attack surface.
-
Check for Vulnerabilities: Once these workstations are identified, the query checks if they have any critical or high-severity software vulnerabilities. These vulnerabilities could be exploited by attackers.
-
Assess Attack Surface: By identifying workstations with both multiple user logons and significant vulnerabilities, the query helps assess the "blast radius" or potential impact if these systems were compromised.
-
Security Framework Mapping: The query is mapped to various MITRE ATT&CK techniques, which are a set of tactics and techniques used by attackers. This mapping helps in understanding how the identified risks align with known attack methods, such as using valid accounts for unauthorized access or exploiting remote services.
Overall, this query is a tool for exposure management, helping security teams identify and mitigate risks associated with their VDI environments.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators