CVE 2024 6387 Regresshion Identify Affected Internet Facing Endpoints
Query
let VulnerableDevices = DeviceTvmSoftwareInventory
| where SoftwareName has "openssh"
| extend OpenSSHVersion = extract(@"(\d+\.\d+)(?:p\d+)?", 1, SoftwareVersion)
| extend OpenSSHVersion = toreal(OpenSSHVersion)
| where OpenSSHVersion between (8.5 .. 9.8) or OpenSSHVersion < 4.4
| distinct DeviceId, DeviceName, OpenSSHVersion;
VulnerableDevices
| join (DeviceInfo
| where IsInternetFacing == "1" // 1 for internet facing devices, 0 for non-internet facing devices
| project DeviceId, DeviceName, OSBuild, OSVersion, OSDistribution, OSVersionInfo
) on DeviceIdAbout this query
CVE-2024-6387 regreSSHion identify affected internet facing endpoints
Description
This query will help identify internet facing endpoints with OpenSSH of an affected version by the regreSSHion vulnerability.
References
Microsoft XDR & Microsoft Sentinel
MITRE ATT&CK Mapping
- Tactic: Lateral Movement
- Technique ID: T1210
- Exploitation of Remote Services
Source
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 04/07/2024 | Initial publish |
Explanation
This query helps find internet-facing devices with a vulnerable version of OpenSSH due to the regreSSHion vulnerability. It looks for devices with OpenSSH versions between 8.5 and 9.8 or older than 4.4. The results include device information like OS details.
Details

Michalis Michalos
Released: July 4, 2024
Tables
DeviceTvmSoftwareInventory
DeviceInfo
Keywords
InternetOpenSSHVulnerableDevicesDeviceTvmSoftwareInventorySoftwareNameOpenSSHVersionDeviceIdDeviceNameIsInternetFacingDeviceInfoOSBuildOSVersionOSDistributionOSVersionInfoMITREATT&CKLateral MovementTechniqueT1210ExploitationRemote ServicesVersioningDateCommentsInitial publish
Operators
whereextendextracttorealbetweenordistinctjoinproject
MITRE Techniques