Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process

Apr 14, 2024 · attack.execution cve.2024.3094 ·

Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.

Sigma rule (View on GitHub)

 1title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
 2id: 9aa27839-e8ba-4d7a-ac1a-746c22c3d1e5
 3status: experimental
 4description: |
 5        Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
 6references:
 7    - https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
 8author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke
 9date: 2024/04/01
10modified: 2024/04/12
11tags:
12    - attack.execution
13    - cve.2024.3094
14logsource:
15    category: process_creation
16    product: linux
17detection:
18    selection_1:
19        ParentImage|endswith: '/sshd'
20        CommandLine|startswith:
21            - 'bash -c'
22            - 'sh -c'
23        User: 'root'
24    selection_2:
25        ParentImage|endswith: '/sshd'
26        Image|endswith: '/sshd'
27        User: 'sshd'
28        CommandLine|contains: 'root'
29    condition: 1 of selection_*
30falsepositives:
31    - Administrative activity directly with root authentication might trigger selection_1 if it's unnecessarily prefixed with "sh -c" or "bash -c"
32level: high

References

GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)

notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) - amlweems/xzbot

Read More

Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process

Sigma rule (View on GitHub)

References

GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)

Related rules