Device Or VM With Critical CVSS And Exploit Is Verified
Query
// Device or VM with critical CVSS and ExploitIsVerified
// https://www.linkedin.com/posts/activity-7193835506164469761-_1ty/
// The ‘MDE DeviceTvmSoftwareVulnerabilitiesKB’ table includes the ‘IsExploitAvailable’ column, which simply indicates the public availability of an exploit. In contrast, the ‘Exposure Management ExposureGraphNodes’ table features the ‘ExploitabilityLevel’ column, offering more detailed information about the exploit, such as whether ‘ExploitIsVerified’. Bearing this in mind, we have crafted a KQL query to isolate Critical CVEs that are verified as exploitable. This query is then combined with the ‘ExposureGraphEdge’ to identify all devices and virtual machines that are vulnerable to critical, exploitable CVEs. The goal is to prioritize the remediation of these machines urgently, thereby minimizing the potential attack surface.
ExposureGraphNodes
| where NodeLabel == "Cve"
| extend CVSSScore = tostring(NodeProperties.rawData.cvssScore)
| extend Severity = tostring(NodeProperties.rawData.severity)
| extend HasExploit = tostring(NodeProperties.rawData.hasExploit)
| extend ExploitabilityLevel = tostring(NodeProperties.rawData.exploitabilityLevel)
| where ExploitabilityLevel == "ExploitIsVerified" and Severity == "Critical"
| join ExposureGraphEdges on $left.NodeId == $right.SourceNodeId
| project TargetNodeName, TargetNodeLabel, SourceNodeName, CVSSScore, NodeProperties
| sort by CVSSScore desc
// MITRE ATT&CK Mapping
//The query focuses on identifying critical vulnerabilities with verified exploits, which aligns with several MITRE ATT&CK techniques related to vulnerability exploitation. Here are some relevant techniques:
// T1190 - Exploit Public-Facing Application: This technique involves exploiting vulnerabilities in public-facing applications. Your query identifies critical vulnerabilities that could be exploited in such a manner1.
// T1210 - Exploitation of Remote Services: This technique involves exploiting vulnerabilities in remote services. The query’s focus on verified exploits and critical severity aligns with detecting such exploitation attempts1.
// T1068 - Exploitation for Privilege Escalation: This technique involves exploiting vulnerabilities to gain higher privileges. Critical vulnerabilities with verified exploits could be used for privilege escalation1.Explanation
This KQL query is designed to identify devices or virtual machines that are vulnerable to critical security vulnerabilities (CVEs) with verified exploits. Here's a simplified breakdown:
-
Data Source: The query uses two tables:
- ExposureGraphNodes: Contains information about vulnerabilities, including their severity and exploitability.
- ExposureGraphEdges: Helps link vulnerabilities to specific devices or virtual machines.
-
Focus: The query targets vulnerabilities that:
- Have a "Critical" severity level.
- Have a verified exploit available (indicated by "ExploitIsVerified").
-
Process:
- It filters the vulnerabilities to only include those that are critical and have verified exploits.
- It then joins this information with another table to find out which devices or virtual machines are affected by these vulnerabilities.
-
Output: The result is a list of devices or virtual machines that are at risk due to these critical, exploitable vulnerabilities. The list is sorted by the CVSS score, which indicates the severity of the vulnerability.
-
Purpose: The goal is to prioritize and expedite the remediation of these vulnerable machines to reduce the risk of exploitation and minimize the potential attack surface.
-
MITRE ATT&CK Mapping: The query aligns with several MITRE ATT&CK techniques related to exploiting vulnerabilities, such as:
- Exploiting public-facing applications.
- Exploiting remote services.
- Exploiting vulnerabilities for privilege escalation.
In essence, this query helps security teams quickly identify and address the most urgent vulnerabilities in their network to prevent potential attacks.
