Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process

Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.

Sigma rule (View on GitHub)

 1title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
 2id: 9aa27839-e8ba-4d7a-ac1a-746c22c3d1e5
 3status: experimental
 4description: |
 5        Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
 6references:
 7    - https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
 8author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke
 9date: 2024/04/01
10tags:
11    - attack.execution
12    - cve.2024.3094
13logsource:
14    category: process_creation
15    product: linux
16detection:
17    selection_1:
18        ParentImage|endswith: '/sshd'
19        CommandLine|startswith:
20            - 'bash -c'
21            - 'sh -c'
22        User: 'root'
23    selection_2:
24        ParentImage|endswith: '/sshd'
25        Image|endswith: '/sshd'
26        User: 'sshd'
27    condition: 1 of selection_*
28falsepositives:
29    - Administrative activity directly with root authentication might trigger selection_1 if it's unnecessarily prefixed with "sh -c" or "bash -c"
30level: high

References

Related rules

to-top