List Internet Facing Devices With Vulnerabilities That Have An Exploit Available

Description

This KQL query list all internet facing devices that have a vulnerability that is exploitable. What exploitable means is that a vulnerability has been found and a PoC/Exploit for this vulnerability is available online. MDE classifies internet facing as a device that has a public IP address, depending on your configuration this device could be completely exposed, only some ports could be exposed or could not be reachable from the internet. This is mostly due to the fact that a firewall is placed in front of the internet facing device, which can block traffic to the device. In case you want to see all details of the incident (such as which KB needs to be installed) remove the last two rows.

Risk

The risk of exploits on internet facing servers is higher, because they could be publicly available and with that more easy exploitable.

Query

Microsoft Defender For Endpoint

// Collect all internet facing devices
let InternetFacingDevices = DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId
| where IsInternetFacing
| distinct DeviceId;
// Collect all vulnerabilities for wich an exploit is available
let ExploitableVulnerabilities = DeviceTvmSoftwareVulnerabilitiesKB
| where IsExploitAvailable == 1
| project CveId;
DeviceTvmSoftwareVulnerabilities
| where CveId in~ (ExploitableVulnerabilities)
| where DeviceId in~ (InternetFacingDevices)
// Summarize results to get the stastics for each device
| summarize TotalExploitableVulnerabilities = dcount(CveId), CveIds = make_set(CveId), SoftwareNames = make_set(SoftwareName), RecommendedSecurityUpdates = make_set(RecommendedSecurityUpdate) by DeviceName
| sort by TotalExploitableVulnerabilities

References

• https://attack.mitre.org/techniques/T1190/
• https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/discovering-internet-facing-devices-using-microsoft-defender-for/ba-p/3778975