From 434d8460d406a5acfca8f71194b812b6ee0eeb79 Mon Sep 17 00:00:00 2001 From: Sudarta Date: Fri, 8 Aug 2025 19:36:58 +0530 Subject: [PATCH 1/2] Added DetectCVEExplot file --- DefenderXDR/DetectCVEexploits.kql | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 DefenderXDR/DetectCVEexploits.kql diff --git a/DefenderXDR/DetectCVEexploits.kql b/DefenderXDR/DetectCVEexploits.kql new file mode 100644 index 0000000..fc7742d --- /dev/null +++ b/DefenderXDR/DetectCVEexploits.kql @@ -0,0 +1,16 @@ +// Get all the TVM data +let tvm_data = DeviceTvmSoftwareVulnerabilities +| distinct DeviceName, SoftwareName, SoftwareVendor, SoftwareVersion, CveId, VulnerabilitySeverityLevel; +// Get CVE signatures on the network +DeviceNetworkEvents +| where ActionType contains "NetworkSignatureInspected" +| extend AdditionalFields = todynamic(AdditionalFields) +| extend SignatureName = tostring(AdditionalFields.SignatureName), + SignatureMatchedContent = tostring(AdditionalFields.SignatureMatchedContent), + SamplePacketContent = tostring(AdditionalFields.SamplePacketContent) +| where SignatureName contains "CVE" +// Join the TVM data of the related device +| join kind=inner tvm_data on DeviceName +// Check if the server is vulnerable to the detected CVE in network traffic +| where SignatureName == CveId +| project-away DeviceName1 \ No newline at end of file From 3d8a2f07382c3221bd8bd52f4e8a886f183ee992 Mon Sep 17 00:00:00 2001 From: Sudarta Date: Fri, 29 Aug 2025 16:34:02 +0530 Subject: [PATCH 2/2] adding mfa bypass file --- Sentinel/AADMFABypass.kql | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Sentinel/AADMFABypass.kql diff --git a/Sentinel/AADMFABypass.kql b/Sentinel/AADMFABypass.kql new file mode 100644 index 0000000..0f2cb77 --- /dev/null +++ b/Sentinel/AADMFABypass.kql @@ -0,0 +1,15 @@ +SigninLogs + | where AuthenticationRequirement != "multiFactorAuthentication" + | where HomeTenantId == ResourceTenantId + | where tostring(NetworkLocationDetails) == "[]" + | where ResultType == 0 + | where ConditionalAccessStatus == "success" + | where todynamic(AuthenticationDetails)[0].authenticationMethod != "Windows Hello for Business" + | where AppDisplayName != "Microsoft Intune Company Portal" + | where AppDisplayName != "Microsoft Intune Web Company Portal" + | where AppDisplayName != "Microsoft Office Web Apps Service" + | where AppDisplayName != "Microsoft Account Controls V2" + | where ResourceDisplayName != "Microsoft Intune Enrollment" + | project UserPrincipalName, UserId, AppDisplayName, ResourceDisplayName, NetworkLocationDetails, AuthenticationRequirement + | summarize count() by UserPrincipalName, AppDisplayName, ResourceDisplayName, AuthenticationRequirement + | sort by UserPrincipalName asc, count_ desc \ No newline at end of file