KQL Search

# CVE-2024-6387 regreSSHion identify affected internet facing endpoints

### Description

This query will help identify internet facing endpoints with OpenSSH of an affected version by the regreSSHion vulnerability.

### References
- https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

### Microsoft XDR & Microsoft Sentinel
```
let VulnerableDevices = DeviceTvmSoftwareInventory
| where SoftwareName has "openssh"
| extend OpenSSHVersion = extract(@"(\d+\.\d+)(?:p\d+)?", 1, SoftwareVersion)
| extend OpenSSHVersion = toreal(OpenSSHVersion)
| where OpenSSHVersion between (8.5 .. 9.8) or OpenSSHVersion < 4.4
| distinct DeviceId, DeviceName, OpenSSHVersion;
VulnerableDevices
| join (DeviceInfo
| where IsInternetFacing == "1" // 1 for internet facing devices, 0 for non-internet facing devices
| project DeviceId, DeviceName, OSBuild, OSVersion, OSDistribution, OSVersionInfo
) on DeviceId
```

### MITRE ATT&CK Mapping
- Tactic: Lateral Movement
- Technique ID: T1210
- [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210/)

### Source

### Versioning
| Version       | Date          | Comments                          |
| ------------- |---------------| ----------------------------------|
| 1.0           | 04/07/2024    | Initial publish                   |