Vulnerability Detection Playbook

Introduction: The Need for Effective Vulnerability Detection Capabilities

As cyber threats continue to evolve, unpatched vulnerabilities remain one of the most exploited attack vectors for cybercriminals seeking to gain unauthorised access, deploy malware, or escalate privileges within enterprise environments. Organisations face a constant challenge in managing vulnerabilities across their IT infrastructure, including endpoints, servers, cloud environments, and third-party applications. Without effective detection capabilities, security gaps can persist unnoticed, increasing the risk of exploitation and potential data breaches.

Effective vulnerability detection capabilities and processes are essential for identifying, prioritising, and mitigating security weaknesses before attackers can exploit them. A comprehensive vulnerability detection strategy should integrate automated vulnerability scanning, real-time threat intelligence, Security Information and Event Management (SIEM) correlation, and Continuous Threat Exposure Management (CTEM). Solutions such as Vulnerability Management (VM) tools, Endpoint Detection and Response (EDR), and Patch Management systems play a crucial role in maintaining security hygiene by detecting misconfigurations, missing patches, and exploitable flaws.

To minimise security risks, organisations must implement continuous vulnerability assessment, automated risk scoring, and proactive patching workflows. By leveraging a combination of security automation, asset visibility, and risk-based vulnerability management, businesses can enhance their overall cybersecurity posture, reduce attack surface exposure, and prevent exploitation by threat actors.

Initial Detection of Vulnerabilities
- Identify Unpatched Systems
- Detect End-of-Life Software Usage
- Monitor Systems Missing Security Updates
Privilege Escalation Vulnerabilities
- Detect Exploitable Privileges
- Identify Misconfigured User Permissions
- Monitor Unusual Sudo or Admin Activity
Network and Exposure Risks
- Open Ports and Weak Firewall Rules
- Detect External Access to Internal Resources
- Identify Publicly Exposed Systems
Application and Endpoint Vulnerabilities
- Identify Vulnerable Software Versions
- Detect Usage of Known Exploits
- Monitor Execution of Exploit Code
Incident Response and Remediation
- Isolate Vulnerable Systems
- Correlate Indicators of Exposure (IoEs)
- Timeline Reconstruction
Conclusion

This playbook provides a structured approach to detecting, analysing, and mitigating vulnerabilities across an organisation using advanced KQL queries in Microsoft Defender and Sentinel. Each section includes multiple query options with detailed descriptions and expected results.

1. Initial Detection of Vulnerabilities

Query Option 1: Identify Unpatched Systems

DeviceTvmSoftwareInventory
| where Timestamp > ago(7d)
| where IsVulnerable == true
| project Timestamp, DeviceName, SoftwareName, SoftwareVersion, CveId

Description: Identifies devices running vulnerable software by checking CVE exposure. Results include affected devices, software names, and CVE details.

Query Option 2: Detect End-of-Life Software Usage

DeviceTvmSoftwareInventory
| where Timestamp > ago(7d)
| where SoftwareName contains "Windows 7" or SoftwareName contains "Windows Server 2012"
| project Timestamp, DeviceName, SoftwareName, SoftwareVersion

Description: Detects systems running outdated or unsupported software versions. Results display affected devices and software details.

Query Option 3: Monitor Systems Missing Security Updates

DeviceTvmSecurityConfigurationAssessment
| where Timestamp > ago(7d)
| where ConfigurationState == "Misconfigured"
| project Timestamp, DeviceName, ConfigurationSetting, ConfigurationState

Description: Identifies misconfigured security settings that may leave systems vulnerable. Results include misconfigured settings and affected devices.

2. Privilege Escalation Vulnerabilities

Query Option 1: Detect Exploitable Privileges

DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine contains "whoami /priv"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine

Description: Detects attempts to enumerate privileges on a system, which may indicate an attacker looking for privilege escalation opportunities. Results display accounts and devices.

Query Option 2: Identify Misconfigured User Permissions

DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKeyPath contains "HKLM\\SAM" or RegistryKeyPath contains "HKLM\\SECURITY"
| project Timestamp, DeviceName, RegistryKeyPath, RegistryValueName

Description: Identifies registry modifications that may indicate misconfigured user permissions allowing unauthorised access. Results show affected devices and registry paths.

Query Option 3: Monitor Unusual Sudo or Admin Activity

DeviceLogonEvents
| where Timestamp > ago(24h)
| where LogonType == "Elevated" and AccountName != "Administrator"
| project Timestamp, DeviceName, AccountName, LogonType

Description: Flags non-administrator accounts performing privileged actions. Results include timestamps, accounts, and affected devices.

3. Network and Exposure Risks

Query Option 1: Open Ports and Weak Firewall Rules

DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (21, 23, 3389, 445) and Direction == "Inbound"
| project Timestamp, DeviceName, RemoteIPAddress, RemotePort

Description: Detects inbound connections to potentially vulnerable services. Results highlight devices, ports, and remote IPs.

Query Option 2: Detect External Access to Internal Resources

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public" and RemotePort in (22, 3389, 445)
| project Timestamp, DeviceName, RemoteIPAddress, RemotePort

Description: Identifies external connections targeting sensitive services. Results display external IPs and targeted devices.

Query Option 3: Identify Publicly Exposed Systems

DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIPType == "Public" and Direction == "Inbound"
| summarize ExposureCount = count() by DeviceName, RemoteIPAddress
| where ExposureCount > 5
| project DeviceName, RemoteIPAddress, ExposureCount

Description: Flags systems repeatedly accessed from external IPs. Results include device names and associated IPs.

4. Application and Endpoint Vulnerabilities

Query Option 1: Identify Vulnerable Software Versions

DeviceTvmSoftwareInventory
| where Timestamp > ago(7d)
| where SoftwareName contains "Java" or SoftwareName contains "Flash"
| project Timestamp, DeviceName, SoftwareName, SoftwareVersion

Description: Detects legacy software with known vulnerabilities. Results display software versions and affected devices.

Query Option 2: Detect Usage of Known Exploits

DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine contains_any ("exploit", "msfconsole", "mimikatz")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine

Description: Identifies attempts to execute known exploit tools. Results include affected accounts and devices.

Query Option 3: Monitor Execution of Exploit Code

DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine contains "powershell" and ProcessCommandLine contains "-EncodedCommand"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine

Description: Detects execution of encoded PowerShell commands, often used in exploitation. Results show devices and command details.

6. Conclusion

The playbook offers a good approach to detecting and analysing compromises in an environment. However, its usefulness depends on the environment and tools at your disposal. For an environment where KQL is an option, the queries may require some adaptation to specific data sources and infrastructure setup

PreviousWindows Intrusion Detection Playbook NextBusiness Email Compromise Detection Playbook

Last updated 2 months ago