KQL For Detecting Potential Hashtag Regre SS Hion Abuse
Query
// KQL for detecting potential hashtag#RegreSSHion abuse
// https://www.linkedin.com/posts/activity-7214588446722465792-FwFr/
// ** Assumption **
// Firewall logs stream to CommonSecurityLog
// 6 OpenSSH connections per min for minimum 6 hours
// 6x60x6 = 2160 connections for past 6 hours
// Attack source is non-distributed, triangulate by country level
// Feel free to adjust the assumption parameters to your environment needs
CommonSecurityLog
| where TimeGenerated >= ago (6h)
| where DestinationPort == "22"
| extend ip_location=geo_info_from_ip_address(SourceIP)
| extend Country=tostring(ip_location.country)
| where Country != ""
| summarize SSH_Connection=count() by Country
| sort by SSH_Connection desc
| where SSH_Connection > 2160
// If analytics rule get triggered, this probably warrant a deeper investigation
// MITRE ATT&CK Mapping
// This query can be associated with the following MITRE ATT&CK techniques:
// T1078 - Valid Accounts:
// Detecting SSH connections can help identify the use of valid accounts for unauthorized access.
// T1021 - Remote Services:
// SSH is a remote service, and monitoring connections can help detect unauthorized remote access.
// T1036 - Masquerading:
// High volumes of SSH connections from unexpected countries might indicate attempts to masquerade as legitimate users.
// T1040 - Network Sniffing:
// Although not directly related, monitoring SSH connections can help identify potential network sniffing activities if attackers are trying to capture credentials.Explanation
This KQL query is designed to detect potential abuse of SSH connections, specifically looking for a pattern that might indicate a security threat. Here's a simple breakdown of what the query does:
-
Data Source: It uses firewall logs that are streamed into a table called
CommonSecurityLog. -
Time Frame: The query looks at logs from the past 6 hours.
-
SSH Connections: It specifically filters for connections on port 22, which is commonly used for SSH (Secure Shell) connections.
-
Geolocation: The query extracts the geographic location of the source IP addresses to determine the country of origin for each connection.
-
Connection Count: It counts the number of SSH connections from each country.
-
Threshold: It identifies countries with more than 2160 SSH connections in the past 6 hours, which is an indicator of potential abuse based on the assumption of 6 connections per minute over 6 hours.
-
Sorting: The results are sorted in descending order by the number of connections to highlight the countries with the highest activity.
-
Investigation Trigger: If the query finds any countries exceeding the threshold, it suggests that this warrants further investigation as it might indicate unauthorized access attempts.
-
MITRE ATT&CK Techniques: The query is associated with several MITRE ATT&CK techniques, which are frameworks for understanding and categorizing cyber threats. These include:
- T1078 - Valid Accounts: Detecting unauthorized use of valid accounts.
- T1021 - Remote Services: Monitoring for unauthorized remote access.
- T1036 - Masquerading: Identifying attempts to disguise malicious activity as legitimate.
- T1040 - Network Sniffing: Although not directly related, high SSH activity might hint at attempts to capture credentials.
Overall, this query helps identify unusual SSH activity that could indicate a security threat, such as a brute-force attack or unauthorized access from unexpected locations.
