Detecting CVE’s which are used by the FireEye toolkit

By Gianni Castaldi

Today’s blog post won’t be about the hack or what went wrong at FireEye as all companies eventually can get hacked. The good thing is they released important information to create detections.

Let’s have a look at the 16 prioritized CVE’s on the FireEye GitHub. Since there are only 16 on the list this can create a good starting point if there are a lot of devices and or outstanding patches.

We will create a dynamic list of all 16 patches, and compare these with the known vulnerabilities from Microsoft Defender for Endpoint. And after that we will create a count of missing vulnerabilities per Device ID.

let FireEyeCVE= dynamic(["CVE-2019-11510",
"CVE-2020-1472",
"CVE-2018-13379",
"CVE-2018-15961",
"CVE-2019-0604",
"CVE-2019-0708",
"CVE-2019-11580",
"CVE-2019-19781",
"CVE-2020-10189",
"CVE-2014-1812",
"CVE-2019-3398",
"CVE-2020-0688",
"CVE-2016-0167",
"CVE-2017-11774",
"CVE-2018-8581",
"CVE-2019-8394"]);
DeviceTvmSoftwareInventoryVulnerabilities
| where CveId in(FireEyeCVE)
| summarize MissingCVEs = count(), make_set(CveId) by DeviceId, DeviceName, OSPlatform

Thanks for reading and if you have any questions or ideas for a blog post let me know.

Alternative Text

By Gianni Castaldi

MVP | NinjaCat | Researching and Engineering Cyber Security @ KustoWorks

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close