KQL Search

Query Details

Inbound SSH Connection To Vulnerable XZ Machine

Query

# Inbound SSH Connection to Vulnerable XZ Machine

## Query Information

#### Description
This KQL query can be used to detect post exploitation activities related to CVE-2024-3094. This vulnerability is related to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. Multiple sources suggest that the malicious code is ingested in functions that SSHD leverages to bypass authentication features, this is yet to be confirmed. 

If you only want to list devices with the vulnerable version use:
```KQL
DeviceTvmSoftwareInventory
| where SoftwareName has "xz"
| where SoftwareVersion has "5.6"
| distinct DeviceName
```

#### Risk
Exploitation of CVE-2024-3094.

#### References
- https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
- https://access.redhat.com/security/cve/cve-2024-3094
- https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
- https://www.openwall.com/lists/oss-security/2024/03/29/4

## Defender For Endpoint
```KQL
let VulnerableXZDevices = DeviceTvmSoftwareInventory
    | where SoftwareName has "xz"
    | where SoftwareVersion has "5.6"
    | distinct DeviceId;
DeviceNetworkEvents
| where DeviceId in (VulnerableXZDevices)
| where ActionType == "InboundConnectionAccepted"
| where InitiatingProcessFileName contains "ssh"
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
```
## Sentinel
```KQL
let VulnerableXZDevices = DeviceTvmSoftwareInventory
    | where SoftwareName has "xz"
    | where SoftwareVersion has "5.6"
    | distinct DeviceId;
DeviceNetworkEvents
| where DeviceId in (VulnerableXZDevices)
| where ActionType == "InboundConnectionAccepted"
| where InitiatingProcessFileName contains "ssh"
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
```

Explanation

This query helps detect inbound SSH connections to vulnerable XZ machines affected by CVE-2024-3094. It looks for devices with XZ version 5.6 and checks for incoming SSH connections. The goal is to identify potential exploitation of the vulnerability.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: March 30, 2024

Tables

DeviceTvmSoftwareInventory DeviceNetworkEvents

Keywords

DeviceTvmSoftwareInventory,DeviceNetworkEvents,ActionType,InitiatingProcessFileName,GeoIPInfo,RemoteIP,country,state,city,latitude,longitude.

Operators

| where| distinct| extend| geo_info_from_ip_address()| parse_json()| contains| in| ==| &&| ||

Actions