← Back to Explore
kqlHunting
Inbound SSH Connection to Vulnerable XZ Machine
This KQL query can be used to detect post exploitation activities related to CVE-2024-3094. This vulnerability is related to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. Multiple sources suggest that the malicious code is ingested in functions that SSHD leverages to bypass authentication features, this is yet to be confirmed.
Detection Query
DeviceTvmSoftwareInventory
| where SoftwareName has "xz"
| where SoftwareVersion has "5.6"
| distinct DeviceNameData Sources
DeviceTvmSoftwareInventory
Platforms
windowsazure-sentinelmicrosoft-defender
References
- https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
- https://access.redhat.com/security/cve/cve-2024-3094
- https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
- https://www.openwall.com/lists/oss-security/2024/03/29/4
Tags
vulnerability-management
Raw Content
# Inbound SSH Connection to Vulnerable XZ Machine
## Query Information
#### Description
This KQL query can be used to detect post exploitation activities related to CVE-2024-3094. This vulnerability is related to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. Multiple sources suggest that the malicious code is ingested in functions that SSHD leverages to bypass authentication features, this is yet to be confirmed.
If you only want to list devices with the vulnerable version use:
```KQL
DeviceTvmSoftwareInventory
| where SoftwareName has "xz"
| where SoftwareVersion has "5.6"
| distinct DeviceName
```
#### Risk
Exploitation of CVE-2024-3094.
#### References
- https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
- https://access.redhat.com/security/cve/cve-2024-3094
- https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
- https://www.openwall.com/lists/oss-security/2024/03/29/4
## Defender XDR
```KQL
let VulnerableXZDevices = DeviceTvmSoftwareInventory
| where SoftwareName has "xz"
| where SoftwareVersion has "5.6"
| distinct DeviceId;
DeviceNetworkEvents
| where DeviceId in (VulnerableXZDevices)
| where ActionType == "InboundConnectionAccepted"
| where InitiatingProcessFileName contains "ssh"
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
```
## Sentinel
```KQL
let VulnerableXZDevices = DeviceTvmSoftwareInventory
| where SoftwareName has "xz"
| where SoftwareVersion has "5.6"
| distinct DeviceId;
DeviceNetworkEvents
| where DeviceId in (VulnerableXZDevices)
| where ActionType == "InboundConnectionAccepted"
| where InitiatingProcessFileName contains "ssh"
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
```