← Blog · · df00tech

CISA KEV Detection Rules: KQL & SPL Queries for the CVEs Attackers Are Actually Exploiting

CISA KEV CVE detection KQL SPL vulnerability management threat intelligence

The CISA Known Exploited Vulnerabilities (KEV) catalog is the most useful detection priority queue in cybersecurity that most SOCs still ignore. Federal civilian agencies have to patch KEV entries by a hard due date; the rest of us treat it as a “nice to know” feed and patch on the next cycle. That gap — the days or weeks between a CVE landing in KEV and the patch reaching every production endpoint — is exactly when adversaries are most active. The right answer isn’t faster patching. It’s compensating detection.

This post gives you five production-grade detection queries for KEV-listed CVEs, mapped to MITRE ATT&CK, with the false-positive guidance you need to actually deploy them. Every query is pulled verbatim from the df00tech detection library — no hallucinated CVEs, no untested syntax.

Why KEV deserves a detection workflow, not just a patch workflow

CISA adds a CVE to KEV when it has evidence of active in-the-wild exploitation. That’s a strong signal — stronger than CVSS score, stronger than vendor severity rating, stronger than vulnerability scanner severity. The KEV catalog is, in effect, a curated stream of “this is being used right now.”

Three operational problems with treating KEV purely as a patch list:

  1. Patch lag is structural. Even disciplined teams take days to inventory affected assets, test the patch, and roll it out. For appliances (firewalls, VPN concentrators, Jenkins controllers) the lag is measured in weeks.
  2. Some KEV entries are unpatchable in your environment. Legacy systems, third-party appliances, embedded OT/IoT — the patch may not exist or may not be applicable.
  3. The first wave of exploitation is the most damaging. UNC5221 hit Ivanti Connect Secure as a zero-day before CISA even listed CVE-2024-21887. UTA0218 exploited PAN-OS GlobalProtect in Operation MidnightEclipse weeks before patches.

Compensating detection closes that window. Below are the five KEV entries every Sentinel or Splunk shop should have wired up today.

1. CVE-2024-21413 — Microsoft Outlook MonikerLink RCE

Mapped to T1566.001 Spearphishing Attachment. CVSS 9.8, CISA KEV listed February 2024, due date February 2025.

MonikerLink lets an attacker craft an Outlook hyperlink using the file:// URI scheme with an exclamation mark that bypasses Protected View and triggers COM moniker resolution. Click it and Outlook initiates NTLM authentication to an attacker-controlled SMB server — handing over the NTLMv2 hash without any further user interaction.

The reliable signal is OUTLOOK.EXE initiating an outbound SMB connection to a public IP. Legitimate Outlook never does this:

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName =~ "OUTLOOK.EXE"
| where RemotePort in (445, 139, 80, 443)
| where RemoteIPType == "Public"
| extend ThreatIndicator = "CVE-2024-21413-Outlook-External-SMB"
| project TimeGenerated, DeviceName, InitiatingProcessFileName,
    RemoteIP, RemotePort, RemoteUrl, InitiatingProcessCommandLine

Tuning note: if you use SharePoint hybrid or any cloud file-share that surfaces SMB URLs in email, whitelist those specific IPs. Don’t broaden the filter — the precision of OUTLOOK.EXE → external:445 is what makes this query alertable rather than hunting-only. The full CVE-2024-21413 detection adds an NTLM event correlation branch for defence in depth.

2. CVE-2024-3400 — PAN-OS GlobalProtect Command Injection

Mapped to T1190 Exploit Public-Facing Application. CVSS 10.0, exploited as a zero-day by UTA0218 in Operation MidnightEclipse to deploy the UPSTYLE backdoor.

The challenge with appliance CVEs is that the appliance is the security control — when the firewall is the target, the firewall’s own logs are your best telemetry. The detection looks for command-injection signatures in PAN-OS syslog and correlates against unexpected outbound connections from the management IP:

index=network sourcetype IN ("pan:log", "pan:system", "pan:globalprotect")
(vendor="Palo Alto Networks" OR product IN ("PAN-OS", "GlobalProtect"))
AND (
  (log_subtype="system"
   AND match(_raw, "(?i)(wget|curl|bash|sh\s|/tmp/|/var/appweb|base64|eval|exec)"))
  OR (log_subtype="globalprotect"
      AND match(_raw, "(?i)(\.sh|wget|curl|/tmp|\.py|\.pl)"))
)
| eval CVE="CVE-2024-3400"
| stats count AS SuspiciousEvents, values(src_ip) AS SourceIPs,
        values(description) AS Descriptions BY host, _time span=1h
| where SuspiciousEvents >= 1

The most reliable IOC for this CVE is file creation in /var/appweb/sslvpndocs/global-protect/ — the UPSTYLE backdoor’s drop location. If you have file integrity monitoring on PAN-OS via Cortex Data Lake, prioritise that signal over log pattern matching. See the CVE-2024-3400 playbook for the full triage and forensic collection steps.

3. CVE-2024-21887 — Ivanti Connect Secure Command Injection

Also T1190. CVSS 9.1, chained with CVE-2023-46805 for unauthenticated RCE. Used as a zero-day by UNC5221 against defence, government, financial, and telecom organisations globally.

Ivanti Connect Secure (formerly Pulse Secure) is the textbook unpatchable appliance: deployed at network edge, not always in EDR coverage, and historically slow to receive vendor fixes. Detection has to lean on web logs (if you proxy ICS through nginx/IIS) and on the ICS device’s own syslog:

W3CIISLog
| where TimeGenerated > ago(24h)
| where csHost has_any ("ivanti", "pulse", "pulsesecure", "connectsecure")
    or csUriStem has_any ("/dana-na/", "/dana/", "/api/v1/auth", "/api/v1/totp")
| where csUriStem has_any (
    "/../", "cmd", "exec", "shell", "wget", "curl", "/tmp",
    "base64", "python", "||", "&&"
  )
| extend ThreatIndicator = "CVE-2024-21887-Suspicious-ICS-Request"

The /dana-na/ and /dana/ paths are the primary attack surface — any URI containing shell metacharacters or command names hitting these endpoints from an external IP is a high-confidence indicator. Correlate with the lateral-movement branch in the full CVE-2024-21887 detection: once attackers land on an ICS appliance, they pivot to internal SMB/RDP/SSH within minutes.

4. CVE-2024-23897 — Jenkins Arbitrary File Read

T1190. CVSS 9.8, CISA KEV due date September 2024. Affects Jenkins 2.441 and earlier.

The Jenkins CLI’s args4j parser treats @filepath as “substitute with file contents” — without authentication, you can read any file the Jenkins process can read, including master.key, which is the encryption key that protects every credential stored in the Jenkins controller. From there it’s a deserialisation chain to RCE. Jenkins is a perennial favourite for crypto miners and supply-chain attackers because development teams routinely expose it to the internet.

The detection is pleasingly specific — POST requests to /cli with @ argument patterns targeting sensitive paths:

index=web sourcetype IN ("access_combined", "nginx:access", "iis", "apache:access")
uri_path="*/cli*" AND http_method="POST"
AND match(_raw, "(?i)(@/etc/|@/var/jenkins|@/proc/|@/root|master\.key|hudson\.util\.Secret|credentials\.xml)")
| eval CVE="CVE-2024-23897"
| eval SensitiveFile=case(
    match(_raw, "master\.key"), "master.key (Jenkins encryption key)",
    match(_raw, "hudson\.util\.Secret"), "hudson.util.Secret",
    match(_raw, "credentials\.xml"), "credentials.xml",
    true(), "Unknown"
  )
| stats count AS Attempts, values(src_ip) AS SourceIPs,
        values(SensitiveFile) AS TargetFiles BY host, _time span=1h

If you only alert on master.key reads you’ll get near-zero false positives — a remote, unauthenticated request asking Jenkins for its encryption key is unambiguous. The CVE-2024-23897 detection page includes a high-volume scanning branch for catching reconnaissance against your Jenkins ports.

5. CVE-2025-24054 — Windows NTLM Credential Leak via Shell Files

Mapped to T1187 Forced Authentication. CISA KEV due date May 2025. Public exploits available on Exploit-DB.

This is CVE-2024-43451’s quieter sibling. Instead of .url shortcut files, the attacker delivers a zip containing a malicious .library-ms or .searchConnector-ms file. Simply unzipping the archive in Explorer is enough to trigger an NTLM authentication request to a remote SMB or WebDAV server — no click required.

The two-stage detection pattern (file delivery + NTLM coercion) is what makes this query actionable rather than noisy:

let SuspiciousShellFileCreation =
DeviceFileEvents
| where TimeGenerated > ago(24h)
| where FileName endswith_cs ".library-ms"
    or FileName endswith_cs ".searchConnector-ms"
    or FileName endswith_cs ".search-ms"
| where ActionType in ("FileCreated", "FileRenamed")
| where FolderPath has_any ("Downloads", "Temp", "AppData", "Desktop");
let NTLMCoercionFromShell =
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ("explorer.exe", "searchprotocolhost.exe",
    "searchindexer.exe")
| where RemotePort in (445, 139, 80, 443)
| where RemoteIPType == "Public";
SuspiciousShellFileCreation | union NTLMCoercionFromShell

Correlate both signals on the same host within a 10-minute window for the highest-confidence alert. Full query and SPL equivalent on the CVE-2025-24054 detection page.

Operationalising KEV detection

Five detections aren’t a programme — they’re a starting point. The reusable pattern across all of them:

  • Map KEV to ATT&CK technique. Every CVE in this post is anchored to a parent technique (T1190, T1566.001, T1187). That gives you a TTP-level detection that survives the specific CVE going stale, plus reusable coverage for future similar CVEs.
  • Lean on threat-actor context. UNC5221, UTA0218, and the rest aren’t randomly distributed — knowing which actors exploit which KEV entries tells you what post-exploitation behaviour to hunt for next. Every df00tech CVE detection includes the named threat actors and their characteristic follow-on TTPs.
  • Tier alerts by patch status. If a host is already patched against CVE-2024-3400, the detection should still fire (someone could still be probing), but the priority is “informational” not “critical.” Wire your CMDB or scanner output into the alert pipeline.
  • Watch the KEV feed. CISA publishes the catalog as a JSON feed. Poll it weekly, diff against your detection library, and prioritise gaps.

The df00tech detection library currently ships 19 verified KEV-listed CVE detections, all sourced against NVD and CISA before publication. Browse them via the main detection index or jump into related posts on building a detection engineering programme and the top 20 ATT&CK techniques every SOC should detect.

Patches close the door. Detection catches the people already in the room.