Query Details
Weak SSH Version Used
Query
# Detect the usage of weak SSH sessions
----
### Defender For Endpoint
```
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "SSH"
| where SignatureMatchedContent == 'SSH-1'
| project-reorder Timestamp, DeviceName, RemoteIP, LocalIP
```
### Sentinel
```
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "SSH"
| where SignatureMatchedContent == 'SSH-1'
| project-reorder TimeGenerated, DeviceName, RemoteIP, LocalIP
```
Explanation
The query is looking for weak SSH sessions by filtering network events where the action type is "NetworkSignatureInspected". It then extracts specific fields from the AdditionalFields column, such as SignatureName, SignatureMatchedContent, and SamplePacketContent. The query further filters the results to only include SSH signatures with matched content of "SSH-1". Finally, it projects the Timestamp/TimeGenerated, DeviceName, RemoteIP, and LocalIP columns in the output.
Details
Bert-Jan Pals
Released: March 8, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,ActionType,SignatureName,SignatureMatchedContent,AdditionalFields,SamplePacketContent,Timestamp,DeviceName,RemoteIP,LocalIP,TimeGenerated
Operators
whereextendtostringparse_json==|project-reorder