Detecting CVE’s which are used by the FireEye toolkit
By Gianni Castaldi
Today’s blog post won’t be about the hack or what went wrong at FireEye as all companies eventually can get hacked. The good thing is they released important information to create detections.
Let’s have a look at the 16 prioritized CVE’s on the FireEye GitHub. Since there are only 16 on the list this can create a good starting point if there are a lot of devices and or outstanding patches.
We will create a dynamic list of all 16 patches, and compare these with the known vulnerabilities from Microsoft Defender for Endpoint. And after that we will create a count of missing vulnerabilities per Device ID.
let FireEyeCVE= dynamic(["CVE-2019-11510",
"CVE-2020-1472",
"CVE-2018-13379",
"CVE-2018-15961",
"CVE-2019-0604",
"CVE-2019-0708",
"CVE-2019-11580",
"CVE-2019-19781",
"CVE-2020-10189",
"CVE-2014-1812",
"CVE-2019-3398",
"CVE-2020-0688",
"CVE-2016-0167",
"CVE-2017-11774",
"CVE-2018-8581",
"CVE-2019-8394"]);
DeviceTvmSoftwareInventoryVulnerabilities
| where CveId in(FireEyeCVE)
| summarize MissingCVEs = count(), make_set(CveId) by DeviceId, DeviceName, OSPlatform
Thanks for reading and if you have any questions or ideas for a blog post let me know.