KQL to Help Identify Systems Patched for CVE-2020-1350

On Tuesday, July 14th, we released an alert and guidance on a potentially impactful Windows DNS Server Remote Code Execution Vulnerability. See: CVE-2020-1350

If you’re using Azure Sentinel, Intune, or any other service that can take advantage of KQL to sift through a Log Analytics Workspace (LAW), the following KQL query can help identify those systems that have been patched against CVE-2020-1350.

Don’t have the Update table? The Update table that is being queried gets exposed through Azure Automation. Read about that here: Azure Automation Docs

//Looking for Installed KBIDs
Update
| where KBID == "4565511" or KBID == "4558998" or KBID == "4565483" or KBID == "4565503"
| distinct Computer, Product, KBID

Download the query from GitHub: https://github.com/rod-trent/SentinelKQL/blob/master/LookingforInstalledKBIDs.txt

This particularly query looks for current Windows systems, i.e., Windows Server 2016, Windows Server 2016 (Server Core installation), Windows Server 2019, Windows Server 2019 (Server Core installation), Windows Server, version 1903 (Server Core installation), Windows Server, version 1909 (Server Core installation), and Windows Server, version 2004 (Server Core installation).

If you need to identify other OS’s and OS versions, replace the KBID filter strings with your own specific content using the table in the advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

This query requires that the OMS/Log Analytics agent is installed on the system and configured to deliver data to the specific LAW you are querying against. All of my Azure VMs and on-premises systems point to the LAW for my Azure Sentinel instance.

Additionally, if you want to find those that are not patched against the vulnerability use the not equal (!=) KQL operator in place of the ==.

Authors