Devices with known vulnerabilities that have been accessed by users may indicate potential exploitation vectors for adversaries. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate risks before a compromise occurs.
KQL Query
let all_computers_with_vlcvln=
DeviceTvmSoftwareVulnerabilities
| where SoftwareName contains "vlc"
| summarize makelist(DeviceName, 200);
let all_affected_users=
DeviceInfo
| where DeviceName in (all_computers_with_vlcvln)
| mvexpand todynamic(LoggedOnUsers)
| extend ParsedFields = parsejson(LoggedOnUsers)
| project UserName = ParsedFields.UserName
| summarize makelist(tolower(UserName), 200);
let all_email_addresses_aff_users=
IdentityInfo
| where tolower(AccountName) in (all_affected_users)
| summarize makelist(tolower(MailAddress), 200);
EmailAttachmentInfo
| where FileName contains ".mkv"
| where tolower(RecipientEmailAddress) in (all_email_addresses_aff_users)
id: fbcb7ff3-0d5a-4565-9caa-fc454138081f
name: devices_with_vuln_and_users_received_payload
description: |
// Author: jan geisbauer
// @janvonkirchheim
// ------------------------
// 1. A list of all devices that have this vulnerability
// 2. A list of all users that uses those devices
// 3. If these users received .mkv files recently
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceTvmSoftwareVulnerabilities
- DeviceInfo
- IdentityInfo
- EmailAttachmentInfo
query: |
let all_computers_with_vlcvln=
DeviceTvmSoftwareVulnerabilities
| where SoftwareName contains "vlc"
| summarize makelist(DeviceName, 200);
let all_affected_users=
DeviceInfo
| where DeviceName in (all_computers_with_vlcvln)
| mvexpand todynamic(LoggedOnUsers)
| extend ParsedFields = parsejson(LoggedOnUsers)
| project UserName = ParsedFields.UserName
| summarize makelist(tolower(UserName), 200);
let all_email_addresses_aff_users=
IdentityInfo
| where tolower(AccountName) in (all_affected_users)
| summarize makelist(tolower(MailAddress), 200);
EmailAttachmentInfo
| where FileName contains ".mkv"
| where tolower(RecipientEmailAddress) in (all_email_addresses_aff_users)
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailAttachmentInfo | Ensure this data connector is enabled |
IdentityInfo | Ensure this data connector is enabled |
Scenario: A system update or patching tool (e.g., Microsoft Update, Ansible, or SCCM) is running a scheduled job to apply a security patch that includes a payload as part of the update package.
Filter/Exclusion: Exclude events where the payload is part of a known patching tool or update process, using a field like process.name or file.name to filter out legitimate update executables.
Scenario: An administrator is performing a routine security scan (e.g., using Nessus or Qualys) that includes a payload for testing vulnerability detection capabilities.
Filter/Exclusion: Exclude events where the process name matches known security scanning tools, or where the payload is associated with a test or simulation activity.
Scenario: A legitimate enterprise application (e.g., Microsoft Defender ATP, CrowdStrike, or Palo Alto Networks) is executing a scheduled job that includes a payload for threat intelligence gathering or endpoint protection.
Filter/Exclusion: Exclude events where the process name or file path matches known enterprise security tools, or where the payload is associated with a whitelisted security function.
Scenario: A user is accessing a shared file or resource (e.g., via SMB or NFS) that contains a payload, but the access is part of a normal file transfer or backup process.
Filter/Exclusion: Exclude events where the file path matches known backup directories or shared resources, or where the user is part of a privileged group responsible for file transfers.
Scenario: A system management tool (e.g., Puppet, Chef, or SaltStack) is deploying a configuration change that includes a payload as part of a script or configuration file.
Filter/Exclusion: Exclude events where the process name matches known configuration management tools, or where the payload is part of a legitimate configuration update.