Query Details
Internet Facing Devices With Available Exploits
Query
# List internet facing devices with vulnerabilities that have an exploit available ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1190 | Exploit Public-Facing Application| https://attack.mitre.org/techniques/T1190/ | #### Description This query list all internet facing devices that have a vulnerability that is exploitable. What exploitable means is that a vulnerability has been found and a PoC/Exploit for this vulnerability is available online. MDE classifies internet facing as a device that has a public IP address, depending on your configuration this device could be complitly exposed, only some ports could be exposed or could not be reachable from the internet. This is mostly due to the fact that a firewall is placed in front of the internet facing device, which can block traffic to the device. In case you want to see all details of the incident (such as wich KB needs to be installed) remove the last two rows. #### Risk The risk of exploits on internet facing servers is higher, because they could be publicly available and with that more easy exploitable. #### References - https://attack.mitre.org/techniques/T1190/ - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/discovering-internet-facing-devices-using-microsoft-defender-for/ba-p/3778975 ### Defender For Endpoint ``` // Collect all internet facing devices let InternetFacingDevices = DeviceInfo | summarize arg_max(Timestamp, *) by DeviceId | where IsInternetFacing | distinct DeviceId; // Collect all vulnerabilities for wich an exploit is available let ExploitableVulnerabilities = DeviceTvmSoftwareVulnerabilitiesKB | where IsExploitAvailable == 1 | project CveId; DeviceTvmSoftwareVulnerabilities | where CveId in~ (ExploitableVulnerabilities) | where DeviceId in~ (InternetFacingDevices) // Summarize results to get the stastics for each device | summarize TotalExploitableVulnerabilities = dcount(CveId), CveIds = make_set(CveId), SoftwareNames = make_set(SoftwareName), RecommendedSecurityUpdates = make_set(RecommendedSecurityUpdate) by DeviceName | sort by TotalExploitableVulnerabilities ```
Explanation
This query identifies internet-facing devices that have vulnerabilities with available exploits. It collects information on internet-facing devices and vulnerabilities with exploits, and then filters the results to include only devices with exploitable vulnerabilities. The query summarizes the results by device, providing statistics on the number of exploitable vulnerabilities, the CVE IDs, software names, and recommended security updates. The results are sorted by the total number of exploitable vulnerabilities.
Details
Bert-Jan Pals
Released: April 20, 2023
Tables
DeviceInfoDeviceTvmSoftwareVulnerabilitiesKBDeviceTvmSoftwareVulnerabilities
Keywords
Devices,Intune,User
Operators
arg_maxwheredistinctsummarizeprojectin~make_setdcountsort by