Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
Sigma rule (View on GitHub)
1title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
2id: 9aa27839-e8ba-4d7a-ac1a-746c22c3d1e5
3status: experimental
4description: |
5 Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
6references:
7 - https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
8author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke
9date: 2024-04-01
10modified: 2024-07-03
11tags:
12 - attack.execution
13 - cve.2024-3094
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection:
19 ParentImage|endswith: '/sshd'
20 CommandLine|startswith:
21 - 'bash -c'
22 - 'sh -c'
23 User: 'root'
24 condition: selection
25falsepositives:
26 - Administrative activity directly with root authentication might trigger this rule if it's unnecessarily prefixed with "sh -c" or "bash -c"
27level: high
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change