Query Details

CVE 2024 6387 Regresshion Identify Affected Internet Facing Endpoints

Query

let VulnerableDevices = DeviceTvmSoftwareInventory
| where SoftwareName has "openssh"
| extend OpenSSHVersion = extract(@"(\d+\.\d+)(?:p\d+)?", 1, SoftwareVersion)
| extend OpenSSHVersion = toreal(OpenSSHVersion)
| where OpenSSHVersion between (8.5 .. 9.8) or OpenSSHVersion < 4.4
| distinct DeviceId, DeviceName, OpenSSHVersion;
VulnerableDevices
| join (DeviceInfo
| where IsInternetFacing == "1" // 1 for internet facing devices, 0 for non-internet facing devices
| project DeviceId, DeviceName, OSBuild, OSVersion, OSDistribution, OSVersionInfo
) on DeviceId

About this query

CVE-2024-6387 regreSSHion identify affected internet facing endpoints

Description

This query will help identify internet facing endpoints with OpenSSH of an affected version by the regreSSHion vulnerability.

References

Microsoft XDR & Microsoft Sentinel

MITRE ATT&CK Mapping

Source

Versioning

VersionDateComments
1.004/07/2024Initial publish

Explanation

This query helps find internet-facing devices with a vulnerable version of OpenSSH due to the regreSSHion vulnerability. It looks for devices with OpenSSH versions between 8.5 and 9.8 or older than 4.4. The results include device information like OS details.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: July 4, 2024

Tables

DeviceTvmSoftwareInventory DeviceInfo

Keywords

InternetOpenSSHVulnerableDevicesDeviceTvmSoftwareInventorySoftwareNameOpenSSHVersionDeviceIdDeviceNameIsInternetFacingDeviceInfoOSBuildOSVersionOSDistributionOSVersionInfoMITREATT&CKLateral MovementTechniqueT1210ExploitationRemote ServicesVersioningDateCommentsInitial publish

Operators

whereextendextracttorealbetweenordistinctjoinproject

MITRE Techniques

Actions

GitHub