Query Details
High Risk Vulnerabilities With Exploits Detected On Onboarded Devices
Query
# *High-Risk Vulnerabilities with Exploits Detected on Onboarded Devices*
## Query Information
### Category: Threat Hunting
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1068 | Exploitation for Privilege Escalation | https://attack.mitre.org/techniques/T1068 |
| T1203 | Exploitation for Client Execution | https://attack.mitre.org/techniques/T1203 |
#### Description
This Threat Hunting Query identifies onboarded devices that have high-risk vulnerabilities (CVSS score > 9) for Remote Code Execution (RCE) or Privilege Escalation (PrivEsc) where public exploits are known to exist or have been verified. It leverages Exposure Graph data to pinpoint critical security exposures on devices within the environment.
the typo in the Query has to be there, as long MSFT will not fix it in the ExposureGraphNodes table
<img width="410" height="35" alt="image" src="https://github.com/user-attachments/assets/c83dad53-45b9-4fbb-a575-2a24e7462e17" />
#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**
## Defender XDR
```KQL
// Threat Hunting Query
ExposureGraphNodes
| where NodeLabel == "device"
| extend RawDataDynamic = NodeProperties.rawData
| project-away NodeProperties
| evaluate bag_unpack(RawDataDynamic)
| where onboardingStatus == "Onboarded"
| extend RCE = parse_json(highRiskVulnerabilityInsights.vulnerableToRemoteCodeExecution)
| extend PrivEsc = parse_json(highRiskVulnerabilityInsights.vulnerableToPrivilegeEscalation)
| where RCE.explotabilityLevels has "ExploitIsPublic"
or RCE.explotabilityLevels has "ExploitIsVerified"
or PrivEsc.explotabilityLevels has "ExploitIsPublic"
or PrivEsc.explotabilityLevels has "ExploitIsVerified"
| where RCE.maxCvssScore >9 or PrivEsc.maxCvssScore >9
| project deviceName, azureADJoinType, exposureScore, isCustomerFacing, isExcluded, isHybridAzureADJoined, lastSeen, osPlatformFriendlyName, osVersionFriendlyName, RCE, PrivEsc
```
Explanation
This query is designed for threat hunting and focuses on identifying devices within an organization's network that have been onboarded and are vulnerable to high-risk security threats. Specifically, it looks for vulnerabilities that could allow remote code execution (RCE) or privilege escalation (PrivEsc) with a Common Vulnerability Scoring System (CVSS) score greater than 9, indicating a high level of risk. The query checks if there are known public exploits or verified exploits for these vulnerabilities.
Here's a simplified breakdown of what the query does:
-
Data Source: It starts by accessing the
ExposureGraphNodestable, which contains information about devices and their security exposures. -
Filter for Devices: It filters the data to only include entries where the node is labeled as a "device."
-
Extract and Unpack Data: It extracts and unpacks raw data related to the device's vulnerabilities.
-
Onboarded Devices: It further filters to include only devices that are currently onboarded.
-
Identify Vulnerabilities: It identifies devices that are vulnerable to RCE or PrivEsc, specifically looking for vulnerabilities with public or verified exploits.
-
High CVSS Score: It ensures that the vulnerabilities have a CVSS score greater than 9, highlighting them as high-risk.
-
Output: Finally, it projects (or selects) specific information about these devices, such as their name, Azure AD join type, exposure score, and operating system details, among others.
Overall, this query helps security teams quickly identify and prioritize devices that are at high risk due to known vulnerabilities with available exploits, allowing them to take appropriate action to mitigate these risks.
Details
Benjamin Zulliger
Released: June 18, 2026
Tables
Keywords
Operators