Devices with known vulnerabilities and users who have received a suspicious payload may indicate a potential compromise where adversaries are exploiting weak systems to deliver malicious content. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks targeting vulnerable devices and their associated users.
KQL Query
// 1. A list of all devices that have this vulnerability
// 2. A list of all users that uses those devices
// If these users opened those .mkv files
let all_computers_with_vlcvln=
DeviceTvmSoftwareVulnerabilities
| where SoftwareName contains "vlc"
| summarize makelist(DeviceName);
DeviceFileEvents
| where DeviceName in (all_computers_with_vlcvln)
| where FileName contains "mkv"
id: 9c2ba784-c664-40f1-b0df-8f34c6626be5
name: devices_with_vuln_and_users_received_payload (1)
description: |
// Author: jan geisbauer
// @janvonkirchheim
// ------------------------
// 1. A list of all devices that have this vulnerability
// 2. A list of all users that uses those devices
// 3. If these users received .mkv files recently
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceTvmSoftwareVulnerabilities
- DeviceFileEvents
query: |
// 1. A list of all devices that have this vulnerability
// 2. A list of all users that uses those devices
// If these users opened those .mkv files
let all_computers_with_vlcvln=
DeviceTvmSoftwareVulnerabilities
| where SoftwareName contains "vlc"
| summarize makelist(DeviceName);
DeviceFileEvents
| where DeviceName in (all_computers_with_vlcvln)
| where FileName contains "mkv"
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: A system update or patching tool (e.g., Microsoft Update, SCCM, or Ansible) is running a scheduled job to apply a security patch that temporarily exposes the system to a known vulnerability during the update process.
Filter/Exclusion: Exclude events related to system update tools or scheduled maintenance windows using the process.name field (e.g., msiexec.exe, setup.exe, ansible.exe) or check for event_id associated with patching activities.
Scenario: A security team member is performing a vulnerability assessment using a tool like Nessus or Qualys, which temporarily creates a vulnerable state on a test system to simulate an attack vector.
Filter/Exclusion: Exclude events where the source IP or user is from the internal security team, or use a custom field like tool_used to identify assessment tools (e.g., nessus, qualys).
Scenario: An administrator is manually testing a new security configuration or firewall rule, which may temporarily expose a device to a known vulnerability to validate the rule’s effectiveness.
Filter/Exclusion: Exclude events where the user is an admin with elevated privileges (e.g., user.name = admin, user.group = Domain Admins) or use a custom_tag like test_environment.
Scenario: A backup or synchronization job (e.g., Veeam, rsync, or Azure Backup) is transferring files between systems, and the destination system temporarily has a known vulnerability due to outdated software.
Filter/Exclusion: Exclude events related to backup tools (e.g., veeam.exe, rsync.exe, azcopy.exe) or filter by process.name and destination_ip to identify legitimate backup activity.
Scenario: A legitimate application (e.g., a SIEM tool like Splunk or a log aggregation tool