Query Details

Identify Network Shares With Write Permissions Set To Everyone In Highly Exposed Devices

Query

let DevVulNetShares = DeviceTvmSecureConfigurationAssessment 
    | where ConfigurationId has "scid-4001"
    | where IsCompliant == "0"
    | where IsApplicable == "1"
    | extend Folder = parse_json(Context)[0][0]
    | extend Path = parse_json(Context)[0][1]
    | project DeviceId, DeviceName, OSPlatform, Folder, Path;
let DeviceInformation = DeviceInfo
    | where ExposureLevel has "High"
    | distinct DeviceId, ExposureLevel;
union DevVulNetShares, DeviceInformation
    | summarize by DeviceId
    | join ( DevVulNetShares ) on DeviceId
    | join kind=leftouter ( DeviceInformation ) on DeviceId
    | project DeviceId,
            DeviceName,
            OSPlatform, 
            Folder, 
            Path

About this query

Identify network shares with write permissions set to Everyone in highly exposed devices

Description

The following query leverages DeviceTvmSecureConfigurationAssessment table and specifically ConfigurationId "scid-4001" (Remove share write permission set to "Everyone"), a weakness which is available at the Microsoft Defender Vulnerability Management (MDVM) add-on license. Results provided include network shares with write permissions set to Everyone in highly exposed devices.

Microsoft Defender XDR

Versioning

VersionDateComments
1.006/10/2024Initial publish
1.020/10/2024Description refinement

Explanation

This query is designed to identify network shares on devices that are highly exposed to security risks and have write permissions set to "Everyone." Here's a simple breakdown of what the query does:

  1. Data Source: It uses the DeviceTvmSecureConfigurationAssessment table, which contains security configuration assessments for devices.

  2. Filter Criteria:

    • It looks for entries with the ConfigurationId "scid-4001," which corresponds to the security issue of having write permissions set to "Everyone" on network shares.
    • It filters for devices where this configuration is not compliant (IsCompliant == "0") and is applicable (IsApplicable == "1").
  3. Data Extraction:

    • It extracts the folder and path information from the Context field for these non-compliant configurations.
  4. Device Information:

    • It retrieves information about devices that have a high exposure level from the DeviceInfo table.
  5. Combining Data:

    • It combines the data from the two sources (non-compliant network shares and high exposure devices) to identify which devices have both characteristics.
  6. Output:

    • The final result includes the device ID, device name, operating system platform, folder, and path for each identified device.

In summary, this query helps security teams identify devices that are at high risk and have network shares with potentially dangerous write permissions, allowing them to take corrective action.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: October 20, 2024

Tables

DeviceTvmSecureConfigurationAssessmentDeviceInfo

Keywords

Devices

Operators

let|wherehas==extendparse_jsonprojectdistinctunionsummarizejoinonkind=leftouter

Actions

GitHub