Defender XDR Exposure Management For CVE 2024 3094
Query
//DefenderXDR Exposure Management for CVE-2024-3094
//https://www.linkedin.com/posts/activity-7180041278829580288-I4hU/
//After reading so many infosec posts relating XZ, I decided to build this high precision KQL detection using the latest DefenderXDR exposure management capability to determine Azure internet facing Linux machines that has vulnerable compromised XZ and running SSHD which are susceptible to RCE attack. If you have this rule triggered, I would strongly suggest you quickly remediate your Linux VM.🫡
let DeviceWithVulnerableXZ =
DeviceTvmSoftwareInventory
| where SoftwareName contains "xz"
| where SoftwareVersion contains "5.6."
| distinct DeviceName;
let DevicewithSSHD =
DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort == 22
| distinct DeviceName;
ExposureGraphNodes
| where NodeLabel == 'device' or (Categories has 'virtual_machine' and set_has_element(Categories, 'virtual_machine'))
// Condition: Internet Facing with vulnerable XZ and running SSHD
| where NodeProperties.rawData.isInternetFacing == true
| where NodeName has_any (DeviceWithVulnerableXZ)
| where NodeName has_any (DevicewithSSHD)
// MITRE ATT&CK Mapping
// Based on the KQL code, the following MITRE ATT&CK techniques are relevant:
// T1190 - Exploit Public-Facing Application:
// The query identifies internet-facing devices with vulnerable software, which could be exploited by attackers.
// T1078 - Valid Accounts:
// The presence of SSHD (port 22) suggests potential use of valid accounts for remote access.
// T1046 - Network Service Scanning:
// Identifying devices with specific services running (like SSHD) can be part of network service scanning activities.
// T1210 - Exploitation of Remote Services:
// Exploiting vulnerabilities in remote services (like SSHD) to gain unauthorized access.Explanation
This KQL query is designed to identify Azure internet-facing Linux machines that are vulnerable to a specific security threat. Here's a simplified breakdown:
-
Objective: The query aims to detect Linux virtual machines that are exposed to the internet, have a specific vulnerable version of the "xz" software, and are running the SSH service (SSHD) on port 22. These conditions make them susceptible to remote code execution (RCE) attacks.
-
Steps:
- Identify Vulnerable Software: It first checks the software inventory to find devices with the "xz" software version "5.6." which is known to be vulnerable.
- Identify SSHD Running Devices: It then looks for devices that have an active SSHD service by checking for listening connections on port 22. - Filter Internet-Facing Devices: Finally, it filters for devices that are both internet-facing and meet the above conditions (vulnerable "xz" and running SSHD).
-
Action: If a device triggers this rule, it is recommended to quickly address the vulnerability on the affected Linux virtual machine.
-
Security Context: The query maps to several MITRE ATT&CK techniques, indicating potential exploitation risks:
- T1190: Exploiting public-facing applications.
- T1078: Use of valid accounts for unauthorized access.
- T1046: Network service scanning to identify vulnerable services.
- T1210: Exploitation of remote services for unauthorized access.
In essence, this query helps in proactively identifying and mitigating security risks associated with specific vulnerabilities in internet-facing Linux machines.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators