Vulnerability Profile CVE 2024 30040 Zero Day
Query
// Vulnerability Profile: CVE-2024-30040 (Zero-day)
// https://www.linkedin.com/posts/activity-7196377520647090178-Ya18/
// CVE-2024-30040 is a security feature bypass zero-day vulnerability affecting Microsoft 365 and Office apps which is actively exploited. Using DefenderXDR Exposure Management to determine the list of devices accessible by critical identities holding highly privilege roles and that the devices are also vulnerable to CVE-2024-30040. As critical identities are part of your organization attack surface areas holding keys to your tenant, plugging this hole significantly reduce your organization risk against the Zero-Day exploits.
// Exposure Management KQL:
let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and
NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| distinct NodeName;
let CriticalDevices =
ExposureGraphEdges
| where EdgeLabel == @"can authenticate to"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| extend DName = tostring(NodeProperties.rawData.deviceName)
| extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin
| where SourceNodeName has_any (CriticalIdentities)
| distinct DName;
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2024-30040"
| where DeviceName has_any (CriticalDevices)
// MITRE ATT&CK Mapping
// The KQL code is designed to identify critical identities and devices, and then find vulnerabilities in those devices. The associated MITRE ATT&CK techniques include:
// T1078: Valid Accounts
// T1078.001: Valid Accounts: Local Accounts
// T1078.003: Valid Accounts: Local Administrator Accounts
// T1190: Exploit Public-Facing Application
// T1210: Exploitation of Remote ServicesExplanation
This KQL query is designed to help identify and manage risks associated with a specific zero-day vulnerability, CVE-2024-30040, which affects Microsoft 365 and Office applications. Here's a simplified breakdown of what the query does:
-
Identify Critical Identities:
- The query first identifies "critical identities" within an organization. These are users or accounts with high privilege levels that are crucial to the organization's security.
-
Identify Critical Devices:
- It then finds devices that these critical identities can access, specifically those where they have local administrator rights.
-
Check for Vulnerability:
- The query checks if these identified devices are vulnerable to the CVE-2024-30040 security flaw.
-
Purpose:
- By identifying which critical devices are vulnerable, the organization can take steps to mitigate the risk posed by this zero-day vulnerability, thereby protecting their critical assets and reducing the overall security risk.
-
MITRE ATT&CK Techniques:
- The query also maps to specific MITRE ATT&CK techniques, which are common tactics and techniques used by attackers. These include:
- T1078: Valid Accounts
- T1078.001: Local Accounts
- T1078.003: Local Administrator Accounts
- T1190: Exploit Public-Facing Application
- T1210: Exploitation of Remote Services
- The query also maps to specific MITRE ATT&CK techniques, which are common tactics and techniques used by attackers. These include:
In essence, this query helps security teams focus on securing the most critical parts of their infrastructure against a known and actively exploited vulnerability.
Details

Steven Lim
Released: August 25, 2024
Tables
ExposureGraphNodesExposureGraphEdgesDeviceTvmSoftwareVulnerabilities
Keywords
DevicesIntuneUserVulnerabilitiesSecurityMicrosoftOfficeDefenderXDRExposureManagementCriticalIdentitiesOrganizationTenantExploitsGraphNodesEdgesSoftwareMITREATT&CKTechniquesAccountsAdministratorApplicationServices
Operators
letset_has_elementwhereisnotnullanddistinctjoinonextendtostringhas_any