Last active
October 12, 2023 09:09
-
-
Save f-bader/836008268f52bd3b2c590527f0c6bf75 to your computer and use it in GitHub Desktop.
CVE-2023-38545 detection based on usage of curl process and TVM data in MDE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // List all devices that have curl installed or use curl. | |
| let ProcessBasedDevices = DeviceProcessEvents | |
| | where Timestamp > ago(30d) | |
| | where ProcessCommandLine has "curl" and FileName != "SenseNdr.exe" | |
| | extend Method = "Process" | |
| | summarize by DeviceId, DeviceName, Method; | |
| let TVMBasedDevices = DeviceTvmSoftwareInventory | |
| | where SoftwareName has "curl" | |
| | extend Method = "Software Inventory" | |
| | project DeviceId, DeviceName, Method, SoftwareName, SoftwareVersion, SoftwareVendor; | |
| union ProcessBasedDevices, TVMBasedDevices | |
| | summarize DetectionMethod = make_set(Method) by DeviceId, DeviceName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DeviceProcessEvents | |
| | where ProcessCommandLine contains "curl" and FileName != "SenseNdr.exe" | |
| | where ProcessCommandLine contains "socks5" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment