Defending Against CVE 2024 21413 Outlook Moniker Link Bug Abuse
Query
//Defending against CVE-2024-21413 Outlook MonikerLink Bug Abuse
//https://www.linkedin.com/pulse/defending-against-cve-2024-21413-outlook-monikerlink-bug-steven-lim-wesac/
let VulnerableEndpoints =
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2024-21413"
| project DeviceId;
DeviceProcessEvents
| where FileName=="OUTLOOK.EXE"
| join DeviceNetworkEvents on DeviceId
| where DeviceId has_any(VulnerableEndpoints)
| where RemotePort == 445
| where RemoteIPType=="Public"
| where ActionType1=="ConnectionSuccess"
| project Timestamp, DeviceName, AccountUpn, ActionType1, RemoteIP
// MITRE ATT&CK Mapping
// Based on the KQL code, the following MITRE ATT&CK techniques are relevant:
// T1071.001 - Application Layer Protocol: Web Protocols:
// The query checks for network connections, which can be associated with the use of application layer protocols.
// T1047 - Windows Management Instrumentation:
// Monitoring OUTLOOK.EXE could be related to the use of legitimate software for malicious purposes.
// T1078 - Valid Accounts:
// The query projects AccountUpn, indicating a focus on user accounts, which could be related to the use of valid accounts for malicious activities.
// T1049 - System Network Connections Discovery:
// The query checks for network connections, which aligns with discovering network connections on the system.
// T1105 - Ingress Tool Transfer:
// The focus on successful connections to public IPs on port 445 could indicate data transfer or tool ingress.Explanation
This query is designed to identify potential abuse of a specific security vulnerability (CVE-2024-21413) in Microsoft Outlook. Here's a simplified breakdown of what the query does:
-
Identify Vulnerable Devices: It starts by finding devices that have the specific vulnerability (CVE-2024-21413) using the
DeviceTvmSoftwareVulnerabilitiestable. It collects the IDs of these vulnerable devices. -
Monitor Outlook Activity: It then looks for processes where the file name is "OUTLOOK.EXE" in the
DeviceProcessEventstable. This is to monitor Outlook activity on those devices. -
Check Network Connections: The query joins this Outlook activity with network events from the
DeviceNetworkEventstable, focusing on the vulnerable devices. -
Filter for Suspicious Connections: It filters these network events to find successful connections (
ActionType1=="ConnectionSuccess") to public IP addresses on port 445. Port 445 is commonly used for file sharing and could be an indicator of malicious activity. -
Output Relevant Information: Finally, it outputs key details like the timestamp, device name, user account, action type, and remote IP address for further investigation.
The query also maps these activities to relevant MITRE ATT&CK techniques, which are frameworks used to understand and categorize cyber threats:
- T1071.001: Relates to the use of application layer protocols, as the query checks for network connections.
- T1047: Involves monitoring legitimate software (Outlook) for potential misuse.
- T1078: Focuses on user accounts, suggesting the use of valid accounts for malicious purposes.
- T1049: Involves discovering network connections on the system.
- T1105: Indicates potential data transfer or tool ingress due to connections to public IPs on port 445. Overall, this query helps in detecting and responding to potential exploitation of the CVE-2024-21413 vulnerability in Outlook by monitoring specific network activities and processes.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators