KQL Search

Query Details

HomeAI ToolsDevice Query

Finding Internet Facing Device With CUPS

Query

// Finding internet facing device with CUPS

// My feed was buzzing with CUPS disclosures (CVSS 9.9) this morning, and it’s only Friday! Time to bring out my DefenderXDR Exposure Management toolkit and cast this magical KQL spell to identify all internet-connected devices with CUPS for a swift search and rescue operation.

// Attacking UNIX Systems via CUPS, Part I
// Link: https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

// DefenderXDR Exposure Management

let InternetFacingDevices =
ExposureGraphNodes
| where NodeLabel == 'device' or 
(Categories has 'virtual_machine' and set_has_element(Categories, 'virtual_machine'))
| where NodeProperties.rawData.isInternetFacing == true
| project NodeName;
DeviceTvmSoftwareInventory
| where DeviceName has_any (InternetFacingDevices)
| where SoftwareName has "cups"

// Mitre ATT&CK
Technique: T1518.001 - Software Discovery: Security Software Discovery

Explanation

This KQL query is designed to identify internet-facing devices that have the CUPS (Common UNIX Printing System) software installed. Here's a simplified breakdown:

  1. Identify Internet-Facing Devices:

    • The query first searches for devices that are either labeled as 'device' or categorized as 'virtual_machine'.
    • It filters these devices to include only those that are internet-facing.
    • The names of these internet-facing devices are then extracted.

  2. Check for CUPS Installation:

    • The query then looks into the software inventory of the identified internet-facing devices.
    • It filters this inventory to find devices that have the CUPS software installed.

  3. Purpose:

    • The goal is to quickly identify and manage the exposure of internet-connected devices that might be vulnerable due to the presence of CUPS, which has a high-severity vulnerability (CVSS 9.9).

  4. Context:

    • This is part of a proactive security measure to mitigate potential risks associated with CUPS vulnerabilities, as highlighted in a recent disclosure.

  5. Reference:

    • The query references a specific technique from the Mitre ATT&CK framework (T1518.001), which involves discovering security software.

In essence, this query helps security teams quickly find and address potential vulnerabilities in their internet-facing devices that have CUPS installed.

Details

Steven Lim profile picture

Steven Lim

Released: September 27, 2024

Tables

ExposureGraphNodesDeviceTvmSoftwareInventory

Keywords

DevicesExposureManagementSoftwareInventoryUNIXSystems

Operators

let|where==or()hasandset_has_element==true|project;|has_any|has

Actions