KQL Search

Query Details

HomeAI ToolsDevice Query

Regre SS Hion Remote Unauthenticated Code Execution Vulnerability In Open SSH Server

Query

// regreSSHion - Remote Unauthenticated Code Execution Vulnerability in OpenSSH server
// https://www.linkedin.com/posts/activity-7213658125323681793-p0wl/

// Azure Resource Graph KQL Query to check Azure Linux server running OpenSSH: 

resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| extend osType = properties.storageProfile.osDisk.osType
| where osType =~ 'Linux'
| mvexpand sshKey = properties.osProfile.linuxConfiguration.ssh.publicKeys
| where sshKey.keyData contains 'ssh-rsa' or sshKey.keyData contains 'ssh-dss'
| project name, location, osType, sshKey.keyData

// Microsoft Defender for Endpoint device discovery capabilities KQL to detect Linux machines (probably with SSH enabled) connected to on-prem & cloud environments (Not onboarded to MDE) to further identify any other possible attack surface.

DeviceInfo
| where OnboardingStatus != "Onboarded"
| where OSPlatform == "Linux"
| where DeviceName != ""
| where DeviceCategory == "Endpoint"

Explanation

This query is designed to identify Azure Linux virtual machines running OpenSSH and detect Linux machines that are not onboarded to Microsoft Defender for Endpoint (MDE). Here's a simplified summary:

  1. Azure Resource Graph Query:

    • Purpose: To find Azure Linux virtual machines that are running OpenSSH.
    • Steps:
      • Look for resources of type 'Microsoft.Compute/virtualMachines'.
      • Filter to get only Linux virtual machines.
      • Expand the SSH keys associated with these machines.
      • Check if the SSH keys contain 'ssh-rsa' or 'ssh-dss'.
      • Display the name, location, operating system type, and SSH key data of these virtual machines.

  2. Microsoft Defender for Endpoint Query:

    • Purpose: To detect Linux machines (likely with SSH enabled) that are connected to on-premises or cloud environments but are not onboarded to MDE.
    • Steps:
      • Look for devices that are not onboarded to MDE.
      • Filter to get only Linux devices.
      • Ensure the device name is not empty.
      • Filter to get only devices categorized as 'Endpoint'.

In essence, the query helps in identifying potential security risks by locating Linux servers with SSH keys in Azure and detecting Linux endpoints that are not protected by MDE.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

resources DeviceInfo

Keywords

AzureResourceGraphDevicesLinuxMicrosoftComputeVirtualMachinesMicrosoftDefenderForEndpointDeviceInfoOnboardingStatusOSPlatformDeviceNameDeviceCategoryEndpoint

Operators

=~|extendmvexpandcontainsorproject!===

Actions