Merge PR #4898 from @ruppde - Fix `Potential Exploitation of CVE-2024…

…-3094 - Suspicious SSH Child Process` fix: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process - Remove `selection_2` as it generates tons of false positives. --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
SigmaHQ · Jul 3, 2024 · 0511e57 · 0511e57
1 parent 651bee3
commit 0511e57
Showing 1 changed file with 4 additions and 9 deletions.
diff --git a/...024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml b/...024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml
@@ -7,26 +7,21 @@ references:
     - https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
 author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke
 date: 2024/04/01
-modified: 2024/04/12
+modified: 2024/07/03
 tags:
     - attack.execution
     - cve.2024.3094
 logsource:
     category: process_creation
     product: linux
 detection:
-    selection_1:
+    selection:
         ParentImage|endswith: '/sshd'
         CommandLine|startswith:
             - 'bash -c'
             - 'sh -c'
         User: 'root'
-    selection_2:
-        ParentImage|endswith: '/sshd'
-        Image|endswith: '/sshd'
-        User: 'sshd'
-        CommandLine|contains: 'root'
-    condition: 1 of selection_*
+    condition: selection
 falsepositives:
-    - Administrative activity directly with root authentication might trigger selection_1 if it's unnecessarily prefixed with "sh -c" or "bash -c"
+    - Administrative activity directly with root authentication might trigger this rule if it's unnecessarily prefixed with "sh -c" or "bash -c"
 level: high