Adversaries may exploit known vulnerabilities listed in CISA Alert (AA22-117A) to gain unauthorized access or execute malicious code on targeted systems. Proactively hunting for these indicators in Azure Sentinel helps SOC teams identify and mitigate potential breaches before they lead to data exfiltration or system compromise.
KQL Query
// CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities https://www.cisa.gov/uscert/ncas/alerts/aa22-117a
let CISAAlertAA22117A= dynamic(
[
"CVE-2021-44228", // Log4Shell - Apache Log4j - Remote code execution (RCE)
"CVE-2021-40539", // Zoho ManageEngine AD SelfService Plus - RCE
"CVE-2021-34523", // ProxyShell - Microsoft Exchange Server - Elevation of privilege
"CVE-2021-34473", // ProxyShell - Microsoft Exchange Server - RCE
"CVE-2021-31207", // ProxyShell - Microsoft Exchange Server - Security feature bypass
"CVE-2021-27065", // ProxyLogon - Microsoft Exchange Server - RCE
"CVE-2021-26858", // ProxyLogon - Microsoft Exchange Server - RCE
"CVE-2021-26857", // ProxyLogon - Microsoft Exchange Server - RCE
"CVE-2021-26855", // ProxyLogon - Microsoft Exchange Server - RCE
"CVE-2021-26084", // Atlassian Confluence Server and Data Center - Arbitrary code execution
"CVE-2021-21972", // VMware vSphere Client - RCE
"CVE-2020-1472", // ZeroLogon - Microsoft Netlogon Remote Protocol (MS-NRPC) - Elevation of privilege
"CVE-2020-0688", // Microsoft Exchange Server - RCE
"CVE-2019-11510", // Pulse Secure Pulse Connect Secure - Arbitrary file reading
"CVE-2018-13379", // Fortinet FortiOS and FortiProxy - Path traversal
"CVE-2021-42237", // Sitecore XP - RCE
"CVE-2021-35464", // ForgeRock OpenAM server - RCE
"CVE-2021-27104", // Accellion FTA - OS command execution
"CVE-2021-27103", // Accellion FTA - Server-side request forgery
"CVE-2021-27102", // Accellion FTA - OS command execution
"CVE-2021-27101", // Accellion FTA - SQL injection
"CVE-2021-21985", // SQL injection - RCE
"CVE-2021-20038", // SonicWall Secure Mobile Access (SMA) - RCE
"CVE-2021-40444", // Microsoft MSHTML - RCE
"CVE-2021-34527", // Microsoft Windows Print Spooler - RCE
"CVE-2021-3156", // Suco - Microsoft Windows Print Spooler
"CVE-2021-27852", // Checkbox Survey - Remote arbitrary code execution
"CVE-2021-22893", // Pulse Secure Pulse Connect Secure - Remote arbitrary code execution
"CVE-2021-20016", // SonicWall SSLVPN SMA100 - Improper SQL command neutralization, allowing for credential access
"CVE-2021-1675", // Windows Print Spooler - RCE
"CVE-2020-2509", // QNAP QTS and QuTS hero - Remote arbitrary code execution
"CVE-2019-19781", // Citrix Application Delivery Controller (ADC) and Gateway - Arbitrary code execution
"CVE-2019-18935", // Progress Telerik UI for ASP.NET AJAX - Code execution
"CVE-2018-0171", // Cisco IOS Software and IOS XE Software - Remote arbitrary code execution
"CVE-2017-11882", // Microsoft Office - RCE
"CVE-2017-0199" // Microsoft Office - RCE
]
);
DeviceTvmSoftwareVulnerabilitiesKB
| where CveId in(CISAAlertAA22117A)
| join DeviceTvmSoftwareVulnerabilities on CveId
| project-away CveId1, VulnerabilitySeverityLevel1, AffectedSoftware
id: 755f0151-223f-4234-b534-9fc74b19903d
name: Detect CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities
description: |
This advanced hunting query detects CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities https://www.cisa.gov/uscert/ncas/alerts/aa22-117a
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceTvmSoftwareVulnerabilitiesKB
tactics:
- Execution
query: |
// CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities https://www.cisa.gov/uscert/ncas/alerts/aa22-117a
let CISAAlertAA22117A= dynamic(
[
"CVE-2021-44228", // Log4Shell - Apache Log4j - Remote code execution (RCE)
"CVE-2021-40539", // Zoho ManageEngine AD SelfService Plus - RCE
"CVE-2021-34523", // ProxyShell - Microsoft Exchange Server - Elevation of privilege
"CVE-2021-34473", // ProxyShell - Microsoft Exchange Server - RCE
"CVE-2021-31207", // ProxyShell - Microsoft Exchange Server - Security feature bypass
"CVE-2021-27065", // ProxyLogon - Microsoft Exchange Server - RCE
"CVE-2021-26858", // ProxyLogon - Microsoft Exchange Server - RCE
"CVE-2021-26857", // ProxyLogon - Microsoft Exchange Server - RCE
"CVE-2021-26855", // ProxyLogon - Microsoft Exchange Server - RCE
"CVE-2021-26084", // Atlassian Confluence Server and Data Center - Arbitrary code execution
"CVE-2021-21972", // VMware vSphere Client - RCE
"CVE-2020-1472", // ZeroLogon - Microsoft Netlogon Remote Protocol (MS-NRPC) - Elevation of privilege
"CVE-2020-0688", // Microsoft Exchange Server - RCE
"CVE-2019-11510", // Pulse Secure Pulse Connect Secure - Arbitrary file reading
"CVE-2018-13379", // Fortinet FortiOS and FortiProxy - Path traversal
"CVE-2021-42237", // Sitecore XP - RCE
"CVE-2021-35464", // ForgeRock OpenAM server - RCE
"CVE-2021-27104", // Accellion FTA - OS command execution
"CVE-2021-27103", // Accellion FTA - Server-side request forgery
"CVE-2021-27102", // Accellion FTA - OS command execution
"CVE-2021-27101", // Accellion FTA - SQL injection
"CVE-2021-21985", // SQL injection - RCE
"CVE-2021-20038", // SonicWall Secure Mobile Access (SMA) - RCE
"CVE-2021-40444", // Microsoft MSHTML - RCE
"CVE-2021-34527", // Microsoft Windows Print Spooler - RCE
"CVE-2021-3156", // Suco - Microsoft Windows Print Spooler
"CVE-2021-27852", // Checkbox Survey - Remote arbitrary code execution
"CVE-2021-22893", // Pulse Secure Pulse Connect Secure - Remote arbitrary code execution
"CVE-2021-20016", // SonicWall SSLVPN SMA100 - Improper SQL command neutralization, allowing for credential access
"CVE-2021-1675", // Windows Print Spooler - RCE
"CVE-2020-2509", // QNAP QTS and QuTS hero - Remote arbitrary code execution
"CVE-2019-19781", // Citrix Application Delivery Controller (ADC) and Gateway - Arbitrary code execution
"CVE-2019-18935", // Progress Telerik UI for ASP.NET AJAX - Code execution
"CVE-2018-0171", // Cisco IOS SoftwarScenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job uses wbadmin or vssadmin to create backups, which may trigger the rule due to process creation or file system activity.
Filter/Exclusion: Exclude processes initiated by wbadmin or vssadmin with command-line arguments containing backup or snapshot.
Scenario: Windows Update or Patching Task
Description: Windows Update or Microsoft Endpoint Manager (MEM) patching tasks may trigger the rule due to registry modifications or file system changes associated with known vulnerabilities.
Filter/Exclusion: Exclude processes initiated by wuauclt.exe, mpsvc.exe, or msiexec.exe with arguments related to WindowsUpdate or patch.
Scenario: Database Maintenance Task
Description: A database administrator may run maintenance tasks (e.g., sqlcmd, sqlservr.exe) that involve file system access or registry changes, which could be flagged by the rule.
Filter/Exclusion: Exclude processes initiated by sqlcmd or sqlservr.exe with command-line arguments containing maintenance, backup, or restore.
Scenario: Log File Rotation or Archiving
Description: Log rotation tools like logrotate or rsync may trigger the rule due to file system activity or process creation.
Filter/Exclusion: Exclude processes initiated by logrotate, rsync, or logrotate with arguments related to log files or archive operations.
Scenario: Antivirus or Endpoint Protection Scan
Description: Antivirus tools like Microsoft Defender (MsMpEng.exe) or third-party tools may trigger the rule due to file system scanning or registry access.
Filter/Exclusion: Exclude processes initiated by MsMpEng.exe, `