Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process

Rule Info

Name
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
Author
Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke
Description
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
Reference
https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
Date
2024-04-01 00:00:00
Modified
2024-07-03 00:00:00
Id
9aa27839-e8ba-4d7a-ac1a-746c22c3d1e5
Tags
attack.execution cve.2024.3094 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=9aa27839-e8ba-4d7a-ac1a-746c22c3d1e5

Rule History

Author
Title
Date
Commit
Arnim Rupp
Merge PR #4898 from @ruppde - Fix `Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process`
2024-07-03
0511e57c8
Florian Roth
docs: added modification date
2024-04-14
f8ca60544
Arnim Rupp
Update proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml
2024-04-12
146c91c4b
Arnim Rupp
Merge PR #4794 from @ruppde - Potential Exploitation of CVE-2024-3094
2024-04-02
71ae004b3
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022