Query Details

CVE 2024 38200 NTLM Exposure Detection

Query

// CVE-2024-38200 NTLM Exposure Detection
// Linkedin Post: https://www.linkedin.com/posts/0x534c_microsoft-discloses-unpatched-office-flaw-activity-7229115791139348480-X_Hi/
// Microsoft has disclosed a high-severity vulnerability affecting Office 2016 that could expose NTLM hashes to a remote attacker. Microsoft's exploitability assessment says that exploitation of CVE-2024-38200 is less likely, MITRE has tagged the likelihood of exploitation for this type of weakness as highly probable.

// The below KQL uses DefenderXDR Exposure Management to check the presence of NTLM hash on the endpoint and if it successfully made an outbound NTLM authentication to internet public IP which indicates high probability of NTLM hash exposure. Upon detection, SecOps should request user to change credential as a precaution until the endpoint is patched. 

let EndpointWithNTLMHash = 
ExposureGraphEdges
| where EdgeLabel == @"has credentials of"
| where EdgeProperties.rawData.ntlmHash.ntlmHash == "true"
| distinct SourceNodeName;
let VulnerableEndpoint =
DeviceTvmSoftwareInventory
| where SoftwareName contains "office_" and SoftwareVendor == "microsoft"
| where DeviceName has_any (EndpointWithNTLMHash)
| distinct DeviceName;
DeviceNetworkEvents
| where RemotePort == "445" and RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| where DeviceName has_any (VulnerableEndpoint)

// MSRC - Microsoft Office Spoofing Vulnerability (Recently Updated)
// https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38200

// https://www.bleepingcomputer.com/news/security/microsoft-discloses-unpatched-office-flaw-that-exposes-ntlm-hashes/

// MITRE ATT&CK Mapping

// Credential Dumping (T1003): Identifying endpoints with NTLM hashes.
// Exploitation for Client Execution (T1203): Identifying vulnerable endpoints with specific software.
// Remote Services (T1021): Monitoring network events for successful connections on port 445.

// These mappings help in understanding the potential threats and tactics being monitored by the KQL query.

Explanation

This KQL query is designed to detect potential exposure of NTLM hashes due to a vulnerability in Microsoft Office 2016, identified as CVE-2024-38200. Here's a simple breakdown of what the query does:

  1. Identify Endpoints with NTLM Hashes: The query first checks for endpoints that have NTLM hashes present. This is done by looking at data that indicates if an endpoint has credentials stored in the form of NTLM hashes.

  2. Find Vulnerable Endpoints: It then identifies which of these endpoints have Microsoft Office 2016 installed, as these are potentially vulnerable to the NTLM hash exposure.

  3. Monitor Network Activity: The query checks if these vulnerable endpoints have made successful outbound connections to public IP addresses over port 445. Such activity suggests a high probability that NTLM hashes might have been exposed to a remote attacker.

  4. Actionable Insight: If such activity is detected, it is recommended that security operations (SecOps) request users to change their credentials as a precaution until the vulnerability is patched.

The query also references various security frameworks and mappings to understand the potential threats and tactics being monitored, such as credential dumping and exploitation for client execution.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

ExposureGraphEdges DeviceTvmSoftwareInventory DeviceNetworkEvents

Keywords

ExposureGraphEdgesDeviceTvmSoftwareInventoryDeviceNetworkEventsNTLMHashEndpointSoftwareOfficeMicrosoftVulnerabilityCredentialNetworkEventsSecOpsUserMITREATT&CK

Operators

let|where==containshas_anydistinct

MITRE Techniques

Actions

GitHub