Leveraging Sentinel UEBA To Safeguard Against Open SSH Vulnerability Exploits
Query
// Leveraging Sentinel UEBA to safeguard against OpenSSH vulnerability exploits
// https://www.linkedin.com/posts/activity-7217745435635900416-ZIa7/
// Using Sentinel UEBA threat intelligence data, you can identify the IP addresses of SSH BruteForce attackers targeting your cloud or on-premises environment. By adding these IPs to your firewall block list, you can enhance protection against OpenSSH vulnerability exploits, specifically CVE-2024-6387 (hashtag#RegreSSHion) and CVE-2024-6409 (hashtag#Privsep).
BehaviorAnalytics
| where TimeGenerated > ago(90d)
| extend ThreatIntelIndicatorDescription = DevicesInsights.ThreatIntelIndicatorDescription
| where isnotempty( ThreatIntelIndicatorDescription )
| where ThreatIntelIndicatorDescription contains "destination_port_numbers: 22" and
ThreatIntelIndicatorDescription contains "A BruteForce indicator"
| distinct SourceIPAddress, SourceIPLocation
| sort by SourceIPLocation asc
// MITRE ATT&CK Mapping
// The KQL query is designed to detect brute force attacks on SSH (port 22). This can be mapped to the following MITRE ATT&CK techniques:
// T1110.001 - Brute Force: Password Guessing:
// The query looks for indicators of brute force attacks, which aligns with the technique of attempting to guess passwords to gain unauthorized access.
// T1040 - Network Sniffing:
// While not directly related to brute force, monitoring port 22 can also help detect network sniffing activities aimed at capturing credentials.
// T1078 - Valid Accounts:
// Successful brute force attacks may lead to the use of valid accounts, which is another technique in the MITRE ATT&CK framework.Explanation
This query is designed to help protect against vulnerabilities in OpenSSH by using Sentinel UEBA (User and Entity Behavior Analytics) threat intelligence data. It focuses on identifying IP addresses involved in SSH brute force attacks targeting your cloud or on-premises environments. Here's a simple breakdown:
-
Purpose: The query aims to detect brute force attacks on SSH (port 22), which could exploit specific OpenSSH vulnerabilities (CVE-2024-6387 and CVE-2024-6409).
-
Data Source: It uses data from Sentinel UEBA to identify potential attackers.
-
Process:
- It filters data from the last 90 days.
- It checks for threat intelligence indicators related to brute force attacks on SSH.
- It extracts distinct IP addresses and their locations involved in these attacks.
- It sorts the results by location.
-
Actionable Insight: By identifying these IP addresses, you can add them to your firewall's block list to prevent further attacks.
-
MITRE ATT&CK Mapping:
- T1110.001 - Brute Force: Password Guessing: The query detects attempts to guess passwords, a common brute force technique.
- T1040 - Network Sniffing: Monitoring SSH can also help identify network sniffing activities.
- T1078 - Valid Accounts: Successful brute force attacks might lead to unauthorized use of valid accounts.
Overall, this query helps enhance security by identifying and mitigating potential brute force attacks on SSH, thereby safeguarding against specific vulnerabilities.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators