KQL Search

# Most Exploited Vulnerabilities 2022

## Query Information

#### Description
CISA, the NSA, and the FBI, Five Eyes cybersecurity authorities have listed the vulnerabilities that have been most exploited in 2022. The query below lists all those vulnerabilities in order to be able to prioritize patching. These vulnerabilities should be patched as soon as possible to prevent breaches, if they have not already occurred. If one of those vulnerabilities is connected to the public internet, assume that the device has been compromised. 

You can add more CVE's to the current list based on the Additional Routinely Exploited Vulnerabilities listed in the CISA report in the references.

If you want to alert on this vulnerability the last lines need to be changed to the lines below. This is in order to meet the custom detection rule requirements, which are the Timestamp and reportId.
```
| join (DeviceEvents
    | summarize arg_max(Timestamp, *) by DeviceId)
    on DeviceId
```

```
CVE	Vendor	Product	Type
CVE-2018-13379	Fortinet	FortiOS and FortiProxy	SSL VPN credential exposure
CVE-2021-34473 (Proxy Shell)	Microsoft	Exchange Server	RCE
CVE-2021-31207 (Proxy Shell)	Microsoft	Exchange Server	Security Feature Bypass
CVE-2021-34523 (Proxy Shell)	Microsoft	Exchange Server	Elevation of Privilege
CVE-2021-40539	Zoho	ADSelfService Plus	RCE/Auth Bypass
CVE-2021-26084	Atlassian	Confluence Server/Data Center	Arbitrary code execution
CVE-2021- 44228 (Log4Shell)	Apache	Log4j2	RCE
CVE-2022-22954	VMware	Workspace ONE	RCE
CVE-2022-22960	VMware	Workspace ONE	Improper Privilege Management
CVE-2022-1388	F5 Networks	BIG-IP	Missing Authentication
CVE-2022-30190	Microsoft	Multiple Products	RCE
CVE-2022-26134	Atlassian	Confluence Server/Data Center	RCE
```
Codeblock source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a

#### References
- https://www.bleepingcomputer.com/news/security/fbi-cisa-and-nsa-reveal-top-exploited-vulnerabilities-of-2022/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a

### Defender For Endpoint
```
// Listing of the most exploited vulnerabilities of 2022.
let 2022MostExploited = dynamic(['CVE-2021-34473', 'CVE-2021-31207', 'CVE-2021-34523', 'CVE-2018-13379', 'CVE-2021-40539', 'CVE-2021-26084', 'CVE-2021- 44228', 'CVE-2022-22954', 'CVE-2022-22960', 'CVE-2022-1388', 'CVE-2022-30190', 'CVE-2022-26134']);
DeviceTvmSoftwareVulnerabilities
// Filter on devices that are vulnerable to one of the vulnerabilities
| where CveId in (2022MostExploited)
// Add additional context
| join kind=inner (DeviceTvmSoftwareVulnerabilitiesKB
    | project CveId, VulnerabilityDescription)
    on CveId
| project DeviceName, OSPlatform, CveId, VulnerabilityDescription
```