Defender XDR Exposure Management For Hashtag Regre SS Hion
Query
// DefenderXDR Exposure Management for hashtag#RegreSSHion
// https://www.linkedin.com/posts/activity-7214788756237639680-rGkW/
//Use below KQL to determine your internet facing VM with OpenSSH and prioritize the following:
// - Access Control
// - Host-based Intrusion Prevention (E.g fail2ban)
// - SSH Configuration Hardening
// (E.g LoginGraceTime/MaxStartups/PerSourceMaxStartups)
// Refer to Splunk Mitigation Strategies for CVE-2024-6387
// Link: https://lnkd.in/gFPsbcaW
let InternetFacingVM=
ExposureGraphNodes
| where NodeLabel == 'device' or (Categories has 'virtual_machine' and set_has_element(Categories, 'virtual_machine'))
| where NodeProperties.rawData.isInternetFacing == true
| extend InternetFacingDeviceName=tostring(NodeProperties.rawData.deviceName)
| project InternetFacingDeviceName;
DeviceTvmSoftwareInventory
| where SoftwareName contains "openssh"
| where DeviceName has_any(InternetFacingVM)
// MITRE ATT&CK Mapping
// Based on the operations performed in the KQL code, here are the relevant MITRE ATT&CK techniques:
// T1133 - External Remote Services:
// Description: Adversaries may leverage external remote services to access and control systems over the internet.
// Relevance: The query identifies internet-facing devices, which could be targeted for remote access via services like OpenSSH.
// T1210 - Exploitation of Remote Services:
// Description: Adversaries may exploit vulnerabilities in remote services to gain unauthorized access.
// Relevance: By identifying devices with OpenSSH, the query highlights potential targets for exploitation.
// T1078 - Valid Accounts:
// Description: Adversaries may use valid accounts to gain access to remote services.
// Relevance: OpenSSH is often used for secure remote access, and valid accounts could be used to log in to these services.
// T1046 - Network Service Scanning:
// Description: Adversaries may scan for network services to identify potential entry points.
// Relevance: The query’s focus on internet-facing devices and specific software (OpenSSH) aligns with the reconnaissance phase of identifying exploitable services.Explanation
This KQL query is designed to identify virtual machines (VMs) that are exposed to the internet and have OpenSSH installed. The goal is to prioritize security measures for these VMs, such as:
- Access Control: Implementing strict access policies to control who can connect to the VM.
- Host-based Intrusion Prevention: Using tools like fail2ban to prevent unauthorized access attempts.
- SSH Configuration Hardening: Enhancing the security settings of SSH, such as adjusting parameters like
LoginGraceTime,MaxStartups, andPerSourceMaxStartups.
The query first filters for internet-facing devices that are categorized as virtual machines. It then checks if these devices have OpenSSH installed. This helps in identifying which VMs need immediate attention for security improvements.
Additionally, the query is mapped to relevant MITRE ATT&CK techniques, highlighting potential risks and attack vectors, such as:
- External Remote Services (T1133): Identifying devices that could be accessed remotely.
- Exploitation of Remote Services (T1210): Highlighting potential targets for exploitation due to vulnerabilities.
- Valid Accounts (T1078): Recognizing the risk of unauthorized access using valid credentials.
- Network Service Scanning (T1046): Understanding how adversaries might scan for these services to find entry points.
The query also references mitigation strategies for a specific vulnerability (CVE-2024-6387) and provides a link to further resources on LinkedIn and Splunk.
Details

Steven Lim
Released: August 5, 2024
Tables
Keywords
Operators