Query Details

CVE 2024 7971 Patch Prioritization

Query

// CVE-2024-7971 Patch Prioritization

//Google has addressed a high-severity Chrome vulnerability that is currently being actively exploited. It’s crucial to identify which of your global administrators are using a vulnerable version of Chrome, especially if their credential cookies are stored on their endpoints. Given that threat actors are exploiting this flaw, it’s strongly recommended to patch the global admin endpoints immediately to significantly reduce the attack surface.

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) 
and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| where NodeProperties has "Global Administrator"
| distinct NodeName;
let VulnerableEndPointwithBCookie =
ExposureGraphEdges
| where EdgeLabel == @"has credentials of"
| where EdgeProperties has "BrowserCookies"
| where TargetNodeName has_any (CriticalIdentities)
| distinct SourceNodeName;
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2024-7971"
| where DeviceName has_any (VulnerableEndPointwithBCookie)

// MITRE ATT&CK Mapping

// T1078.004: Valid Accounts: Cloud Accounts
// T1539: Steal Web Session Cookie
// T1190: Exploit Public-Facing Application

//These mappings help in understanding the potential tactics and techniques adversaries might use, based on the identified vulnerabilities and critical identities in your environment.

Explanation

This query is designed to help prioritize patching for a specific high-severity vulnerability in Google Chrome, identified as CVE-2024-7971, which is actively being exploited. The goal is to identify and prioritize patching for devices used by global administrators who are at higher risk due to this vulnerability.

Here's a simplified breakdown of the query:

  1. Identify Critical Identities:

    • The query first identifies global administrators within the organization who have a criticality level below 4, indicating they are of high importance or risk.
  2. Find Vulnerable Endpoints:

    • It then checks for devices (endpoints) that store credential cookies for these critical global administrators. This is important because if these cookies are stored on a vulnerable version of Chrome, they could be exploited by attackers.
  3. Check for Vulnerability:

    • Finally, it filters devices that have the specific Chrome vulnerability (CVE-2024-7971) and are associated with the identified vulnerable endpoints.
  4. MITRE ATT&CK Mapping:

    • The query also references specific MITRE ATT&CK techniques that relate to the vulnerability, helping to understand the potential tactics and techniques adversaries might use. These include:
      • T1078.004: Valid Accounts: Cloud Accounts
      • T1539: Steal Web Session Cookie
      • T1190: Exploit Public-Facing Application

The overall recommendation is to immediately patch the identified vulnerable endpoints used by global administrators to reduce the risk of exploitation.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

ExposureGraphNodesExposureGraphEdgesDeviceTvmSoftwareVulnerabilities

Keywords

ExposuregraphnodesNodepropertiesCriticalidentitiesExposuregraphedgesEdgepropertiesTargetnodenameSourcenodenameDevicetvmsoftwarevulnerabilitiesDevicenameCveidCategoriesIdentityGlobalAdministratorBrowsercookies

Operators

let|whereset_has_elementisnotnulland<hasdistinct==has_any

MITRE Techniques

Actions

GitHub