Potential Git CVE-2025-48384 Exploitation

 1[metadata]
 2creation_date = "2025/11/12"
 3integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"]
 4maturity = "production"
 5updated_date = "2025/11/12"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects potential exploitation of CVE-2025-48384 via Git. This vulnerability allows attackers to execute arbitrary code
11by leveraging Git's recursive clone feature to fetch and execute malicious scripts from a remote repository.
12"""
13from = "now-9m"
14index = [
15    "auditbeat-*",
16    "logs-crowdstrike.fdr*",
17    "logs-auditd_manager.auditd-*",
18    "logs-endpoint.events.process*",
19    "logs-sentinel_one_cloud_funnel.*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "Potential Git CVE-2025-48384 Exploitation"
24note = """## Triage and analysis
25
26> **Disclaimer**:
27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
28
29### Investigating Potential Git CVE-2025-48384 Exploitation
30
31This rule flags a Git recursive clone from an HTTP(S) remote followed moments later by a shell spawned by Git—clear evidence of CVE-2025-48384 abuse enabling arbitrary code execution on Linux or macOS. An attacker ships a repository whose submodules or hooks pull and run a bash script during --recursive clone, causing Git to invoke a shell and execute their payload on a developer endpoint.
32
33### Possible investigation steps
34
35- Extract the remote URL and parameters from the git invocation and review .gitmodules to enumerate submodules, then assess the domain/account reputation and recent commits for signs of a malicious repo or takeover.
36- Inspect the cloned repository for hook execution vectors by reviewing .git/hooks and any core.hooksPath overrides for newly created or modified executables (post-checkout/post-merge/post-update), noting contents and timestamps.
37- Analyze the spawned shell’s lineage, command line, working directory, and any script or binary launched to identify the payload, compute hashes, and correlate with concurrent outbound connections or file writes.
38- Pivot on the repo URL, hooks filenames, and payload hash across hosts to identify other impacted endpoints, and verify whether this activity aligns with expected developer workflows or CI jobs to rule out benign use.
39- Examine the endpoint for follow-on changes suggesting execution or persistence (new cron/LaunchAgents entries, modified shell profiles, new SSH keys or credentials files, unusual PATH or gitconfig changes), and collect artifacts for forensic review.
40
41### False positive analysis
42
43- Legitimate organization-wide or user-level Git hooks installed via core.hooksPath or templates run a post-checkout bootstrap shell script after a recursive HTTP or HTTPS clone, causing git to spawn a shell as a child process.
44- During a recursive HTTP or HTTPS clone, Git invokes a credential or askpass helper implemented as a shell script for authentication, resulting in a benign sh/bash child of the git process.
45
46### Response and remediation
47
48- Immediately isolate any host where git clone --recursive from an HTTP(S) URL spawned a shell, terminate the git process tree (bash/sh and curl/wget/python children) launched from the cloned path, and block the repository domain on your proxy and Git hosting.
49- Quarantine the cloned directory and its .git folder, preserve .gitmodules, .git/hooks, and any core.hooksPath target for forensics, then remove executable hooks (post-checkout/post-merge/post-update) and delete the repository and downloaded payload scripts.
50- Rotate credentials available to the user (replace ~/.ssh keys and clear ~/.git-credentials/osxkeychain/libsecret), and eradicate persistence by removing new cron entries, LaunchAgents/LaunchDaemons, modified shell profiles (~/.bashrc, ~/.zshrc), and unexpected PATH or gitconfig changes.
51- Scope and recover by hunting for the same remote URL, hook names, and payload hashes across endpoints and CI runners, reimaging or restoring clean baselines before returning systems to service.
52- Escalate to incident command if multiple hosts show a git->shell chain from the same repository, if the payload invoked sudo or wrote to /etc/cron* or /Library/LaunchDaemons, or if outbound transfers occur to the repo’s domain or newly contacted IPs.
53- Upgrade Git to a patched release for CVE-2025-48384, enforce core.hooksPath to a read-only allowlisted directory, disable recursive submodule cloning by default (submodule.recurse=false), restrict protocols (protocol.file.allow=never; allow only https/ssh), and block clones from untrusted domains in developer and CI environments.
54"""
55references = [
56  "https://www.kucoin.com/zh-hant/blog/en-breaking-lazarus-group-apt38-targets-crypto-sector-with-sophisticated-phishing-campaign",
57  "https://securitylabs.datadoghq.com/articles/git-arbitrary-file-write/",
58  "https://github.com/acheong08/CVE-2025-48384"
59]
60risk_score = 73
61rule_id = "640f0535-f784-4010-b999-39db99d2daeb"
62severity = "high"
63tags = [
64    "Domain: Endpoint",
65    "OS: Linux",
66    "OS: macOS",
67    "Use Case: Threat Detection",
68    "Tactic: Execution",
69    "Data Source: Elastic Defend",
70    "Data Source: Auditd Manager",
71    "Data Source: SentinelOne",
72    "Data Source: Crowdstrike",
73    "Resources: Investigation Guide",
74]
75timestamp_override = "event.ingested"
76type = "eql"
77query = '''
78sequence by host.id with maxspan=1m
79  [process where host.os.type in ("linux", "macos") and event.type == "start" and event.action in ("exec", "executed", "process_started", "start", "ProcessRollup2") and
80   process.name == "git" and process.args == "clone" and process.args == "--recursive" and process.args like~ "http*"] by process.entity_id
81  [process where host.os.type in ("linux", "macos") and event.type == "start" and event.action in ("exec", "executed", "process_started", "start", "ProcessRollup2") and
82   process.name in (
83    "dash", "sh", "static-sh", "bash", "bash-static", "zsh", "ash", "csh", "ksh", "tcsh", "busybox", "fish", "ksh93", "rksh",
84    "rksh93", "lksh", "mksh", "mksh-static", "csharp", "posh", "rc", "sash", "yash", "zsh5", "zsh5-static"
85   )] by process.parent.entity_id
86'''
87
88[[rule.threat]]
89framework = "MITRE ATT&CK"
90
91  [rule.threat.tactic]
92  name = "Execution"
93  id = "TA0002"
94  reference = "https://attack.mitre.org/tactics/TA0002/"
95
96  [[rule.threat.technique]]
97  name = "Exploitation for Client Execution"
98  id = "T1203"
99  reference = "https://attack.mitre.org/techniques/T1203/"