Query Details

Vulnerabilities that have a publicly available POC

Vulnerabilities With Available POC

Query

// Extract the CVE IDs that have an available POC
let VulnerabilitiesWithPOC = externaldata(CVE: string, URL: string )[@"https://raw.githubusercontent.com/tg12/PoC_CVEs/main/cve_links.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
// Join POC information with the Software Vulnerabilities based on CVE
| join kind=inner (VulnerabilitiesWithPOC
| summarize POCLinks = make_set(URL), POCTotal = dcount(URL) by CVE) on $left.CveId == $right.CVE
// Summarize Results to get statistics
| summarize TotalVulnerableDevices = dcount(DeviceName), arg_max(CveId, POCTotal, POCLinks) by CveId
// Sort the results
| sort by POCTotal, TotalVulnerableDevices

About this query

Vulnerabilities that have a publicly available POC

Query Information

Description

A list has been made on Github with links to available POCs for CVE's. This query lists the vulnerabilities in your environment that have a publicly available POC. This might help to prioritize which vulnerabilities need to be patches first.

Risk

The vulnerabilities is known to be have a POC available, which increases the changes of it being used by threat actors, thus depending on your configuration the exploit can also be used to gain access into your environment.

References

Defender XDR

Explanation

This query is designed to identify and prioritize vulnerabilities in your environment that have publicly available proof-of-concept (POC) exploits. Here's a simplified breakdown of what the query does:

  1. Data Source: It pulls a list of CVE (Common Vulnerabilities and Exposures) IDs and their corresponding POC URLs from a GitHub repository. This list indicates which vulnerabilities have publicly available POCs.

  2. Join Data: The query then matches these CVE IDs with the vulnerabilities detected in your environment, using the DeviceTvmSoftwareVulnerabilities table. This helps in identifying which of your vulnerabilities have known POCs.

  3. Summarize Information: For each matched vulnerability, it compiles a list of POC URLs and counts how many POCs are available for each CVE. It also counts how many devices in your environment are affected by each vulnerability.

  4. Sort Results: Finally, it sorts the vulnerabilities based on the number of POCs available and the number of affected devices. This helps in determining which vulnerabilities might be more critical to address first, as those with more POCs and affecting more devices could be more likely to be exploited.

In essence, this query helps you prioritize patching efforts by highlighting vulnerabilities with known exploits that could be used by attackers to compromise your systems.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceTvmSoftwareVulnerabilities

Keywords

VulnerabilitiesDevicesEnvironmentConfigurationExploitAccessLinksSoftwareStatisticsResults

Operators

letexternaldatawithformatignoreFirstRecordjoinkindsummarizemake_setdcountonarg_maxsort by

Actions

GitHub