Query Details

Defending Against CVE 2024 21413 Outlook Moniker Link Bug Abuse

Query

//Defending against CVE-2024-21413 Outlook MonikerLink Bug Abuse
//https://www.linkedin.com/pulse/defending-against-cve-2024-21413-outlook-monikerlink-bug-steven-lim-wesac/

let VulnerableEndpoints =
DeviceTvmSoftwareVulnerabilities 
| where CveId == "CVE-2024-21413"
| project DeviceId;
DeviceProcessEvents
| where FileName=="OUTLOOK.EXE"
| join DeviceNetworkEvents on DeviceId
| where DeviceId has_any(VulnerableEndpoints)
| where RemotePort == 445
| where RemoteIPType=="Public"
| where ActionType1=="ConnectionSuccess"
| project Timestamp, DeviceName, AccountUpn, ActionType1, RemoteIP


// MITRE ATT&CK Mapping

// Based on the KQL code, the following MITRE ATT&CK techniques are relevant:

// T1071.001 - Application Layer Protocol: Web Protocols:
// The query checks for network connections, which can be associated with the use of application layer protocols.

// T1047 - Windows Management Instrumentation:
// Monitoring OUTLOOK.EXE could be related to the use of legitimate software for malicious purposes.

// T1078 - Valid Accounts:
// The query projects AccountUpn, indicating a focus on user accounts, which could be related to the use of valid accounts for malicious activities.

// T1049 - System Network Connections Discovery:
// The query checks for network connections, which aligns with discovering network connections on the system.

// T1105 - Ingress Tool Transfer:
// The focus on successful connections to public IPs on port 445 could indicate data transfer or tool ingress.

Explanation

This query is designed to identify potential abuse of a specific security vulnerability (CVE-2024-21413) in Microsoft Outlook. Here's a simplified breakdown of what the query does:

  1. Identify Vulnerable Devices: It starts by finding devices that have the specific vulnerability (CVE-2024-21413) using the DeviceTvmSoftwareVulnerabilities table. It collects the IDs of these vulnerable devices.

  2. Monitor Outlook Activity: It then looks for processes where the file name is "OUTLOOK.EXE" in the DeviceProcessEvents table. This is to monitor Outlook activity on those devices.

  3. Check Network Connections: The query joins this Outlook activity with network events from the DeviceNetworkEvents table, focusing on the vulnerable devices.

  4. Filter for Suspicious Connections: It filters these network events to find successful connections (ActionType1=="ConnectionSuccess") to public IP addresses on port 445. Port 445 is commonly used for file sharing and could be an indicator of malicious activity.

  5. Output Relevant Information: Finally, it outputs key details like the timestamp, device name, user account, action type, and remote IP address for further investigation.

The query also maps these activities to relevant MITRE ATT&CK techniques, which are frameworks used to understand and categorize cyber threats:

  • T1071.001: Relates to the use of application layer protocols, as the query checks for network connections.
  • T1047: Involves monitoring legitimate software (Outlook) for potential misuse.
  • T1078: Focuses on user accounts, suggesting the use of valid accounts for malicious purposes.
  • T1049: Involves discovering network connections on the system.
  • T1105: Indicates potential data transfer or tool ingress due to connections to public IPs on port 445. Overall, this query helps in detecting and responding to potential exploitation of the CVE-2024-21413 vulnerability in Outlook by monitoring specific network activities and processes.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceProcessEventsDeviceNetworkEvents

Keywords

DeviceTvmSoftwareVulnerabilitiesProcessEventsNetworkNameAccountUpnRemoteIPPortTimestamp

Operators

let|where==projectjoinonhas_any

Actions

GitHub