Identify Network Shares With Write Permissions Set To Everyone In Highly Exposed Devices
Query
let DevVulNetShares = DeviceTvmSecureConfigurationAssessment
| where ConfigurationId has "scid-4001"
| where IsCompliant == "0"
| where IsApplicable == "1"
| extend Folder = parse_json(Context)[0][0]
| extend Path = parse_json(Context)[0][1]
| project DeviceId, DeviceName, OSPlatform, Folder, Path;
let DeviceInformation = DeviceInfo
| where ExposureLevel has "High"
| distinct DeviceId, ExposureLevel;
union DevVulNetShares, DeviceInformation
| summarize by DeviceId
| join ( DevVulNetShares ) on DeviceId
| join kind=leftouter ( DeviceInformation ) on DeviceId
| project DeviceId,
DeviceName,
OSPlatform,
Folder,
PathAbout this query
Identify network shares with write permissions set to Everyone in highly exposed devices
Description
The following query leverages DeviceTvmSecureConfigurationAssessment table and specifically ConfigurationId "scid-4001" (Remove share write permission set to "Everyone"), a weakness which is available at the Microsoft Defender Vulnerability Management (MDVM) add-on license. Results provided include network shares with write permissions set to Everyone in highly exposed devices.
Microsoft Defender XDR
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 06/10/2024 | Initial publish |
| 1.0 | 20/10/2024 | Description refinement |
Explanation
This query is designed to identify network shares on devices that are highly exposed to security risks and have write permissions set to "Everyone." Here's a simple breakdown of what the query does:
-
Data Source: It uses the
DeviceTvmSecureConfigurationAssessmenttable, which contains security configuration assessments for devices. -
Filter Criteria:
- It looks for entries with the
ConfigurationId"scid-4001," which corresponds to the security issue of having write permissions set to "Everyone" on network shares. - It filters for devices where this configuration is not compliant (
IsCompliant == "0") and is applicable (IsApplicable == "1").
- It looks for entries with the
-
Data Extraction:
- It extracts the folder and path information from the
Contextfield for these non-compliant configurations.
- It extracts the folder and path information from the
-
Device Information:
- It retrieves information about devices that have a high exposure level from the
DeviceInfotable.
- It retrieves information about devices that have a high exposure level from the
-
Combining Data:
- It combines the data from the two sources (non-compliant network shares and high exposure devices) to identify which devices have both characteristics.
-
Output:
- The final result includes the device ID, device name, operating system platform, folder, and path for each identified device.
In summary, this query helps security teams identify devices that are at high risk and have network shares with potentially dangerous write permissions, allowing them to take corrective action.
Details

Michalis Michalos
Released: October 20, 2024
Tables
Keywords
Operators