Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process

Jan 30, 2025 · attack.execution cve.2024-3094 detection.emerging-threats ·

Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.

Sigma rule (View on GitHub)

 1title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
 2id: 9aa27839-e8ba-4d7a-ac1a-746c22c3d1e5
 3status: experimental
 4description: |
 5        Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
 6references:
 7    - https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
 8author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke
 9date: 2024-04-01
10modified: 2024-07-03
11tags:
12    - attack.execution
13    - cve.2024-3094
14    - detection.emerging-threats
15logsource:
16    category: process_creation
17    product: linux
18detection:
19    selection:
20        ParentImage|endswith: '/sshd'
21        CommandLine|startswith:
22            - 'bash -c'
23            - 'sh -c'
24        User: 'root'
25    condition: selection
26falsepositives:
27    - Administrative activity directly with root authentication might trigger this rule if it's unnecessarily prefixed with "sh -c" or "bash -c"
28level: high

References

GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)

notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) - amlweems/xzbot

Read More

Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process

Sigma rule (View on GitHub)

References

GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)

Related rules