Skip to content

Instantly share code, notes, and snippets.

let MayRCE = dynamic(["CVE-2020-0901","CVE-2020-1023","CVE-2020-1024","CVE-2020-1028","CVE-2020-1035","CVE-2020-1037","CVE-2020-1051","CVE-2020-1058","CVE-2020-1060","CVE-2020-1061","CVE-2020-1062","CVE-2020-1064","CVE-2020-1065","CVE-2020-1067","CVE-2020-1069","CVE-2020-1092","CVE-2020-1093","CVE-2020-1096","CVE-2020-1102","CVE-2020-1117","CVE-2020-1126","CVE-2020-1136","CVE-2020-1150","CVE-2020-1153","CVE-2020-1171","CVE-2020-1174","CVE-2020-1175","CVE-2020-1176","CVE-2020-1192"]);
DeviceTvmSoftwareInventoryVulnerabilities
| where CveId in (MayRCE)
| summarize CVECount = dcount(CveId) by DeviceName, OSPlatform
@Castaldio86
Castaldio86 / DefendDefenderATP
Created March 3, 2020 22:29
DefendDefenderATP
DeviceRegistryEvents
| where * contains "\\SOFTWARE\\Policies\\Microsoft\\Windows Advanced Threat Protection" and
ActionType == "RegistryKeyDeleted" or
RegistryValueName == "OnboardingInfo" and RegistryValueData != PreviousRegistryValueData