Cyber security

Inbound SSH Connection To Vulnerable XZ Machine : CVE-2024-3094 Exploits

This KQL query can be used to detect post exploitation activities related to CVE-2024-3094. This vulnerability is related to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1.

Multiple sources suggest that the malicious code is ingested in functions that SSHD leverages to bypass authentication features, this is yet to be confirmed.

If you only want to list devices with the vulnerable version use:

DeviceTvmSoftwareInventory
| where SoftwareName has "xz"
| where SoftwareVersion has "5.6"
| distinct DeviceName

Defender For Endpoint

let VulnerableXZDevices = DeviceTvmSoftwareInventory
    | where SoftwareName has "xz"
    | where SoftwareVersion has "5.6"
    | distinct DeviceId;
DeviceNetworkEvents
| where DeviceId in (VulnerableXZDevices)
| where ActionType == "InboundConnectionAccepted"
| where InitiatingProcessFileName contains "ssh"
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)

Sentinel

let VulnerableXZDevices = DeviceTvmSoftwareInventory
    | where SoftwareName has "xz"
    | where SoftwareVersion has "5.6"
    | distinct DeviceId;
DeviceNetworkEvents
| where DeviceId in (VulnerableXZDevices)
| where ActionType == "InboundConnectionAccepted"
| where InitiatingProcessFileName contains "ssh"
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Install Webmin on Ubuntu 20.04: Complete Setup and Login Guide

Webmin is an open-source web-based control panel for Linux servers. It gives you a browser interface…

2 minutes ago

Install MariaDB on Ubuntu 20.04: Setup and Admin Access

MariaDB is an open-source relational database management system. It was created by the original MySQL developers…

15 minutes ago

Best OSINT Tools for Investigating Corruption 2026: Public Records and Link Analysis

Corruption investigations need accuracy, patience, and strong evidence. In 2026, OSINT tools can help researchers,…

26 minutes ago

Best OSINT Tools for Private Investigators 2026: Legal People and Asset Research

Private investigators use OSINT to collect public information, verify identities, review business connections, check public…

44 minutes ago

Best OSINT Tools for Journalists 2026: Verify Sources, Images and Claims

Journalists use OSINT to verify public information before publishing. In 2026, misinformation, AI-generated images, fake…

12 hours ago

Install Docker on Ubuntu 20.04: Complete Step-by-Step Guide

DockerĀ is an open-source platform that lets you package and run applications inside containers. Each container…

22 hours ago