Adversaries may exploit CVE-2022-22965 by establishing unauthorized network connections to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from known vulnerabilities before they lead to data breaches or system compromise.
KQL Query
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where ActionType =~ "NetworkSignatureInspected"
| where AdditionalFields contains ".jsp?cmd="
| summarize makeset(AdditionalFields, 5), min(Timestamp), max(Timestamp) by DeviceId, DeviceName
id: 98b496c6-da2e-4b03-8e38-c038b2e3062d
name: CVE-2022-22965 Network Activity
description: |
The following query surface network activity associated with exploitation of CVE-2022-22965.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Privilege escalation
- Exploit
query: |
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where ActionType =~ "NetworkSignatureInspected"
| where AdditionalFields contains ".jsp?cmd="
| summarize makeset(AdditionalFields, 5), min(Timestamp), max(Timestamp) by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using netsh to configure network settings
Filter/Exclusion: process.name != "netsh" or process.args not like '%netsh%'
Scenario: System update using Microsoft Update or Windows Server Update Services (WSUS)
Filter/Exclusion: process.name != "wuauclt" or process.name != "wuauserv"
Scenario: Admin task using PowerShell to configure firewall rules via netsh
Filter/Exclusion: process.name != "powershell.exe" or process.args not like '%netsh%'
Scenario: Network discovery or inventory scan using nmap or arp-scan
Filter/Exclusion: process.name != "nmap" or process.name != "arp-scan"
Scenario: Internal monitoring tool using tcpdump or Wireshark for packet capture
Filter/Exclusion: process.name != "tcpdump" or process.name != "wireshark"