| Technique ID | Title | Link |
|---|---|---|
| T1190 | Exploit Public-Facing Application | https://attack.mitre.org/techniques/T1190/ |
This query list all internet facing devices that have a vulnerability that is exploitable. What exploitable means is that a vulnerability has been found and a PoC/Exploit for this vulnerability is available online. MDE classifies internet facing as a device that has a public IP address, depending on your configuration this device could be complitly exposed, only some ports could be exposed or could not be reachable from the internet. This is mostly due to the fact that a firewall is placed in front of the internet facing device, which can block traffic to the device. In case you want to see all details of the incident (such as wich KB needs to be installed) remove the last two rows.
The risk of exploits on internet facing servers is higher, because they could be publicly available and with that more easy exploitable.
- https://attack.mitre.org/techniques/T1190/
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/discovering-internet-facing-devices-using-microsoft-defender-for/ba-p/3778975
// Collect all internet facing devices
let InternetFacingDevices = DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId
| where IsInternetFacing
| distinct DeviceId;
// Collect all vulnerabilities for wich an exploit is available
let ExploitableVulnerabilities = DeviceTvmSoftwareVulnerabilitiesKB
| where IsExploitAvailable == 1
| project CveId;
DeviceTvmSoftwareVulnerabilities
| where CveId in~ (ExploitableVulnerabilities)
| where DeviceId in~ (InternetFacingDevices)
// Summarize results to get the stastics for each device
| summarize TotalExploitableVulnerabilities = dcount(CveId), CveIds = make_set(CveId), SoftwareNames = make_set(SoftwareName), RecommendedSecurityUpdates = make_set(RecommendedSecurityUpdate) by DeviceName
| sort by TotalExploitableVulnerabilities