KQL Search

Query Details

HomeAI ToolsDevice Query

Suspicious SSH Connection Inspections

Query

**Suspicious SSH connection inspections**

**Description:** The aim of this query is detect SSH connections attempts where the external sources are specifying babeld (Network Protocol) or Conker (Network Conf. Manager) as parameters to establish a connection, is detect suspicious activity such as:

- Unauthorized SSH connections.
- Malicious use of SSH for lateral movement within a network.
- Exfiltration attempts via SSH tunneling.
```
DeviceNetworkEvents
| where ActionType has "SshConnectionInspected"
| extend CountryIP = tostring(geo_info_from_ip_address(RemoteIP).country), server = tostring(parse_json(AdditionalFields).server)
| where isnotempty(CountryIP)
| where server contains "babeld" or server contains "conker"
| project Timestamp,ActionType, RemoteIP, RemotePort,CountryIP, server, auth_success = tostring(parse_json(AdditionalFields).auth_success), client = tostring(parse_json(AdditionalFields).client)```

Explanation

This query is designed to identify potentially suspicious SSH connection attempts. Specifically, it looks for connections where external sources are using certain parameters (babeld or Conker) that might indicate unauthorized or malicious activity. Here’s a simple breakdown of what the query does:

  1. Filter Events: It starts by filtering network events to find those related to SSH connections.
  2. Extract Information: It extracts the country of the remote IP address and the server details from the event data.
  3. Check for Suspicious Parameters: It then checks if the server details contain the terms "babeld" or "conker".
  4. Display Results: Finally, it displays relevant information about these suspicious connections, including the timestamp, action type, remote IP and port, country, server details, authentication success status, and client details.

In summary, this query helps in detecting and investigating potentially unauthorized or malicious SSH activities by focusing on specific parameters that might indicate such behavior.

Details

Sergio Albea profile picture

Sergio Albea

Released: September 18, 2024

Tables

DeviceNetworkEvents

Keywords

DevicesNetworkSecurity

Operators

hasextendtostringgeo_info_from_ip_addressparse_jsonisnotemptycontainsorproject

Actions