KQL Search

Query Details

HomeAI ToolsDevice Query

Vulnerability Profile CVE 2024 30040 Zero Day

Query

// Vulnerability Profile: CVE-2024-30040 (Zero-day)
// https://www.linkedin.com/posts/activity-7196377520647090178-Ya18/

// CVE-2024-30040 is a security feature bypass zero-day vulnerability affecting Microsoft 365 and Office apps which is actively exploited. Using DefenderXDR Exposure Management to determine the list of devices accessible by critical identities holding highly privilege roles and that the devices are also vulnerable to CVE-2024-30040. As critical identities are part of your organization attack surface areas holding keys to your tenant, plugging this hole significantly reduce your organization risk against the Zero-Day exploits.

// Exposure Management KQL:

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and
NodeProperties.rawData.criticalityLevel.criticalityLevel < 4 
| distinct NodeName;
let CriticalDevices =
ExposureGraphEdges 
| where EdgeLabel == @"can authenticate to"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| extend DName = tostring(NodeProperties.rawData.deviceName)
| extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin
| where SourceNodeName has_any (CriticalIdentities)
| distinct DName;
DeviceTvmSoftwareVulnerabilities 
| where CveId == "CVE-2024-30040"
| where DeviceName has_any (CriticalDevices)

Explanation

This KQL query is designed to identify devices within an organization that are vulnerable to a specific zero-day vulnerability (CVE-2024-30040) and are accessible by highly privileged identities. Here's a simple breakdown of what the query does:

  1. Identify Critical Identities:

    • It first identifies critical identities within the organization. These are users with high privilege roles and a criticality level less than 4.

  2. Identify Devices Accessible by Critical Identities:

    • It then finds devices that these critical identities can authenticate to, particularly focusing on whether they have local admin rights on these devices.

  3. Find Vulnerable Devices:

    • Finally, it checks which of these identified devices are vulnerable to the CVE-2024-30040 vulnerability.

In summary, the query helps to pinpoint devices that are both vulnerable to a specific zero-day exploit and accessible by highly privileged users, thereby highlighting critical security risks that need to be addressed to protect the organization.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

ExposureGraphNodesExposureGraphEdgesDeviceTvmSoftwareVulnerabilities

Keywords

DevicesIntuneUserVulnerabilities

Operators

let|whereset_has_elementisnotnulland<distinct==joinon$left==$rightextendtostringhas_any

Actions