Inbound SSH Connection To Vulnerable XZ Machine
Query
DeviceTvmSoftwareInventory
| where SoftwareName has "xz"
| where SoftwareVersion has "5.6"
| distinct DeviceNameAbout this query
Explanation
This KQL query is designed to identify potential security threats related to a specific vulnerability, CVE-2024-3094, found in certain versions of the XZ Utils software (versions 5.6.0 and 5.6.1). The vulnerability may allow malicious code to bypass authentication features in SSHD.
Here's a simple breakdown of what the query does:
-
Identify Vulnerable Devices:
- The query first identifies devices that have the vulnerable versions of XZ Utils installed. It does this by searching for software named "xz" with version "5.6" in the device's software inventory and lists these devices by their unique identifiers (DeviceId).
-
Monitor Network Events:
- It then checks network events on these vulnerable devices to find instances where an inbound SSH connection was accepted. This is done by looking for network events where the action type is "InboundConnectionAccepted" and the initiating process is related to "ssh".
-
Geolocation Information:
- For each identified inbound SSH connection, the query retrieves geolocation information based on the remote IP address. This includes the country, state, city, latitude, and longitude of the remote connection.
The query is useful for security teams to monitor and respond to potential exploitation attempts on devices with the vulnerable XZ Utils versions, especially focusing on unauthorized SSH connections that could indicate malicious activity.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
DeviceTvmSoftwareInventoryDeviceNetworkEvents
Keywords
DeviceTvmSoftwareInventoryNameIdNetworkEventsActionTypeInitiatingProcessFileGeoIPInfoRemoteCountryStateCityLatitudeLongitude
Operators
let|wherehasdistinctin==containsextendgeo_info_from_ip_addresstostringparse_json