forked from SigmaHQ/sigma
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
…24-3094 new: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process --------- Co-authored-by: nasbench <[email protected]> Co-authored-by: Thomas Patzke <[email protected]>
- Loading branch information
1 parent
3e389b1
commit 71ae004
Showing
1 changed file
with
30 additions
and
0 deletions.
There are no files selected for viewing
30 changes: 30 additions & 0 deletions
30
...024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process | ||
id: 9aa27839-e8ba-4d7a-ac1a-746c22c3d1e5 | ||
status: experimental | ||
description: | | ||
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094. | ||
references: | ||
- https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo | ||
author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke | ||
date: 2024/04/01 | ||
tags: | ||
- attack.execution | ||
- cve.2024.3094 | ||
logsource: | ||
category: process_creation | ||
product: linux | ||
detection: | ||
selection_1: | ||
ParentImage|endswith: '/sshd' | ||
CommandLine|startswith: | ||
- 'bash -c' | ||
- 'sh -c' | ||
User: 'root' | ||
selection_2: | ||
ParentImage|endswith: '/sshd' | ||
Image|endswith: '/sshd' | ||
User: 'sshd' | ||
condition: 1 of selection_* | ||
falsepositives: | ||
- Administrative activity directly with root authentication might trigger selection_1 if it's unnecessarily prefixed with "sh -c" or "bash -c" | ||
level: high |