Hunt for public facing devices via public tag
Hunt Public Devices With Tag
Query
DeviceInfo
| where Timestamp > ago(7d)
| extend AdditionalFields = todynamic(AdditionalFields)
| where todatetime(AdditionalFields.InternetFacingLastSeen) > ago(7d)
| extend InternetFacingLastSeen = tostring(AdditionalFields.InternetFacingLastSeen)
, InternetFacingReason = tostring(AdditionalFields.InternetFacingReason)
, InternetFacingLocalIp = tostring(AdditionalFields.InternetFacingLocalIp)
, InternetFacingPublicScannedIp = tostring(AdditionalFields.InternetFacingPublicScannedIp)
, InternetFacingLocalPort = tostring(AdditionalFields.InternetFacingLocalPort)
, InternetFacingPublicScannedPort = tostring(AdditionalFields.InternetFacingPublicScannedPort)
, InternetFacingTransportProtocol = tostring(AdditionalFields.InternetFacingTransportProtocol)
| summarize arg_max(InternetFacingLastSeen, *) by DeviceName, InternetFacingLocalIp, InternetFacingLocalPort, InternetFacingPublicScannedIp, InternetFacingPublicScannedPort, InternetFacingTransportProtocol, InternetFacingReason
| project InternetFacingLastSeen, DeviceName, InternetFacingLocalIp, InternetFacingLocalPort, InternetFacingPublicScannedIp, InternetFacingPublicScannedPort, InternetFacingTransportProtocol, InternetFacingReasonAbout this query
Hunt for public facing devices via public tag
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1190 | Exploit Public-Facing Application | https://attack.mitre.org/techniques/T1190/ |
Description
Find public facing devices via the public device tag in the DeviceInfo table. The internet facing reason is also included in this query.
Risk
Public facing identification is only supported for Windows operating systems with specific versions. For more details about the nuances, see the blogpost added in the references.
Author <Optional>
- Name: Robbe Van den Daele
- Github: https://github.com/RobbeVandenDaele
- Twitter: https://x.com/RobbeVdDaele
- LinkedIn: https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- Website: https://hybridbrothers.com/
References
Defender XDR
Sentinel
N/A
Explanation
This query is designed to identify devices that are exposed to the internet, specifically those running Windows operating systems. It does this by looking for devices tagged as "public-facing" in the DeviceInfo table. Here's a simple breakdown of what the query does:
- Time Frame: It focuses on data from the last 7 days.
- Data Extraction: The query extracts additional fields related to internet exposure from the
AdditionalFieldscolumn, which is stored in a dynamic format. - Filtering: It filters out devices that have been identified as internet-facing within the last 7 days.
- Data Transformation: Converts various attributes related to internet exposure (like last seen time, reason, local and public IPs and ports, and transport protocol) into string format for easier handling.
- Aggregation: It summarizes the data to get the most recent record for each device based on the last time it was seen as internet-facing. This is done using the
arg_maxfunction. - Output: Finally, it projects (or selects) relevant columns to display, including the last seen time, device name, local and public IPs and ports, transport protocol, and the reason for being internet-facing.
The query helps in identifying potential security risks by pinpointing devices that are accessible from the internet, which could be vulnerable to exploitation as per the MITRE ATT&CK technique T1190.
