CVE 2024 6387 Regresshion Identify Affected Endpoints
Query
DeviceTvmSoftwareInventory
| where SoftwareName has "openssh"
| extend OpenSSHVersion = extract(@"(\d+\.\d+)(?:p\d+)?", 1, SoftwareVersion)
| extend OpenSSHVersion = toreal(OpenSSHVersion)
| where OpenSSHVersion between (8.5 .. 9.8) or OpenSSHVersion < 4.4
| distinct DeviceId, DeviceName, OpenSSHVersionAbout this query
CVE-2024-6387 regreSSHion identify affected endpoints
Description
This query will help identify endpoints with OpenSSH of an affected version by the regreSSHion vulnerability.
References
Microsoft XDR & Microsoft Sentinel
MITRE ATT&CK Mapping
- Tactic: Lateral Movement
- Technique ID: T1210
- Exploitation of Remote Services
Source
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 04/07/2024 | Initial publish |
Explanation
This query helps find endpoints with a vulnerable version of OpenSSH due to the regreSSHion vulnerability. It looks for OpenSSH versions between 8.5 and 9.8, or versions below 4.4. The goal is to identify affected devices for further action.
