KQL Search

Query Details

HomeAI ToolsDevice Query

Global Admin Entra Cookie With Chrome Zero Day

Query

// Global Admin Entra Cookie with Chrome Zero-Day
// CVE-2025-4664 Chrome flaw with public exploit
// https://www.bleepingcomputer.com/news/security/cisa-tags-recently-patched-chrome-bug-as-actively-exploited-zero-day/
// https://www.bleepingcomputer.com/news/security/google-fixes-high-severity-chrome-flaw-with-public-exploit/

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) 
and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| where NodeProperties has "Global Administrator" // Remove this line to include all Critical Identities
| distinct NodeName;
let VulnerableEndPointwithBCookie =
ExposureGraphEdges
| where EdgeLabel == @"has credentials of"
| where EdgeProperties has "BrowserCookies"
| where TargetNodeName has_any (CriticalIdentities)
// SourceNodeName = Devices that contains GA browser cookie 
| distinct SourceNodeName;
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessVersionInfoProductName == "Google Chrome"
| where ProcessVersionInfoProductVersion != "136.0.7103.114" and
ProcessVersionInfoProductVersion != "136.0.7103.113"
| summarize arg_max(Timestamp, *) by DeviceId
| where DeviceName has_any(VulnerableEndPointwithBCookie)

Explanation

This query is designed to identify devices that might be at risk due to a specific security vulnerability in Google Chrome. Here's a breakdown of what it does:

  1. Identify Critical Identities:

    • It looks for identities within a graph database that are categorized as "identity" and have a criticality level less than 4. - It specifically focuses on identities with the role of "Global Administrator."

  2. Find Vulnerable Endpoints:

    • It searches for connections in the graph database where there are credentials (specifically browser cookies) associated with these critical identities.
    • It identifies devices (endpoints) that have these credentials.

  3. Check for Chrome Vulnerability:

    • It examines process events on devices over the past 30 days to find instances of Google Chrome running.
    • It filters out Chrome versions that are not vulnerable to the specific flaw (CVE-2025-4664) by excluding versions "136.0.7103.114" and "136.0.7103.113," which are presumably patched.
    • It then identifies the most recent event for each device.

  4. Match Devices with Vulnerable Endpoints:

    • Finally, it checks if any of these devices match the ones identified as having the critical browser cookies, indicating they might be at risk due to the Chrome vulnerability.

In summary, the query is used to detect devices that have potentially vulnerable versions of Chrome and are associated with critical identities, specifically those with Global Administrator privileges, which could be exploited due to a known security flaw.

Details

Steven Lim profile picture

Steven Lim

Released: May 20, 2025

Tables

ExposureGraphNodesExposureGraphEdgesDeviceProcessEvents

Keywords

IdentityDevicesBrowserCookiesProcessChrome

Operators

letset_has_elementwhereisnotnullandhasdistinct==has_any>!=summarizearg_maxby

Actions