KQL Search

Query Details

HomeAI ToolsDevice Query

Identify Network Shares With Write Permissions Set To Everyone In Highly Exposed Devices

Query

# Identify network shares with write permissions set to Everyone in highly exposed devices

## Description

The following query leverages DeviceTvmSecureConfigurationAssessment which is available at the Microsoft Defender Vulnerability Management (MDVM) add-on license. Results provided include network shares with write permissions set to Everyone in highly exposed devices.

### Microsoft Defender XDR
```
let DevVulNetShares = DeviceTvmSecureConfigurationAssessment 
    | where ConfigurationId has "scid-4001"
    | where IsCompliant == "0"
    | where IsApplicable == "1"
    | extend Folder = parse_json(Context)[0][0]
    | extend Path = parse_json(Context)[0][1]
    | project DeviceId, DeviceName, OSPlatform, Folder, Path;
let DeviceInformation = DeviceInfo
    | where ExposureLevel has "High"
    | distinct DeviceId, ExposureLevel;
union DevVulNetShares, DeviceInformation
    | summarize by DeviceId
    | join ( DevVulNetShares ) on DeviceId
    | join kind=leftouter ( DeviceInformation ) on DeviceId
    | project DeviceId,
            DeviceName,
            OSPlatform, 
            Folder, 
            Path
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 06/10/2024    | Initial publish                        |

Explanation

This query is designed to identify network shares on devices that are highly exposed and have write permissions set to "Everyone." It uses data from Microsoft Defender Vulnerability Management to find these network shares and combines it with device information to highlight those with a high exposure level. Here's a breakdown of what the query does:

  1. Data Source: It uses the DeviceTvmSecureConfigurationAssessment table, which contains security configuration assessments for devices.

  2. Filter Criteria:

    • It looks for configurations with an ID of "scid-4001," which likely corresponds to network share permissions.
    • It filters for entries that are non-compliant (IsCompliant == "0") and applicable (IsApplicable == "1").

  3. Data Extraction:

    • It extracts the folder and path details from the context information.

  4. Device Information:

    • It retrieves device information from the DeviceInfo table, focusing on devices with a high exposure level.

  5. Combining Data:

    • It combines the network share data with device information to identify devices that are both highly exposed and have network shares with write permissions set to "Everyone."

  6. Output:

    • The final output includes the device ID, name, operating system platform, folder, and path of the network shares.

In summary, this query helps security teams identify potentially vulnerable network shares on devices that are at high risk, allowing them to take corrective actions.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: October 6, 2024

Tables

DeviceTvmSecureConfigurationAssessmentDeviceInfo

Keywords

DeviceTvmSecureConfigurationAssessmentDeviceInfo

Operators

lethas==extendparse_jsonprojectdistinctunionsummarizejoinonkindleftouter

Actions