Query Details

Inbound SSH Connection To Vulnerable XZ Machine

Query

DeviceTvmSoftwareInventory
| where SoftwareName has "xz"
| where SoftwareVersion has "5.6"
| distinct DeviceName

About this query

Explanation

This KQL query is designed to identify potential security threats related to a specific vulnerability, CVE-2024-3094, found in certain versions of the XZ Utils software (versions 5.6.0 and 5.6.1). The vulnerability may allow malicious code to bypass authentication features in SSHD.

Here's a simple breakdown of what the query does:

  1. Identify Vulnerable Devices:

    • The query first identifies devices that have the vulnerable versions of XZ Utils installed. It does this by searching for software named "xz" with version "5.6" in the device's software inventory and lists these devices by their unique identifiers (DeviceId).
  2. Monitor Network Events:

    • It then checks network events on these vulnerable devices to find instances where an inbound SSH connection was accepted. This is done by looking for network events where the action type is "InboundConnectionAccepted" and the initiating process is related to "ssh".
  3. Geolocation Information:

    • For each identified inbound SSH connection, the query retrieves geolocation information based on the remote IP address. This includes the country, state, city, latitude, and longitude of the remote connection.

The query is useful for security teams to monitor and respond to potential exploitation attempts on devices with the vulnerable XZ Utils versions, especially focusing on unauthorized SSH connections that could indicate malicious activity.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceTvmSoftwareInventoryDeviceNetworkEvents

Keywords

DeviceTvmSoftwareInventoryNameIdNetworkEventsActionTypeInitiatingProcessFileGeoIPInfoRemoteCountryStateCityLatitudeLongitude

Operators

let|wherehasdistinctin==containsextendgeo_info_from_ip_addresstostringparse_json

Actions

GitHub