Merge PR SigmaHQ#4794 from @ruppde - Potential Exploitation of CVE-2024-3094

new: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process

---------

Co-authored-by: nasbench <[email protected]>
Co-authored-by: Thomas Patzke <[email protected]>

Author: 3 people

rules-emerging-threats/2024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml

@@ -0,0 +1,30 @@
+title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
+id: 9aa27839-e8ba-4d7a-ac1a-746c22c3d1e5
+status: experimental
+description: |
+    Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
+references:
+    - https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
+author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke
+date: 2024/04/01
+tags:
+    - attack.execution
+    - cve.2024.3094
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_1:
+        ParentImage|endswith: '/sshd'
+        CommandLine|startswith:
+            - 'bash -c'
+            - 'sh -c'
+        User: 'root'
+    selection_2:
+        ParentImage|endswith: '/sshd'
+        Image|endswith: '/sshd'
+        User: 'sshd'
+    condition: 1 of selection_*
+falsepositives:
+    - Administrative activity directly with root authentication might trigger selection_1 if it's unnecessarily prefixed with "sh -c" or "bash -c"
+level: high