Update proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml

remove selection_2 as it's prone to false positives during ssh brute force
SigmaHQ · Jul 3, 2024 · 4841e19 · 4841e19
1 parent 651bee3
commit 4841e19
Showing 1 changed file with 1 addition and 6 deletions.
diff --git a/...024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml b/...024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml
@@ -7,7 +7,7 @@ references:
     - https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
 author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke
 date: 2024/04/01
-modified: 2024/04/12
+modified: 2024/07/03
 tags:
     - attack.execution
     - cve.2024.3094
@@ -21,11 +21,6 @@ detection:
             - 'bash -c'
             - 'sh -c'
         User: 'root'
-    selection_2:
-        ParentImage|endswith: '/sshd'
-        Image|endswith: '/sshd'
-        User: 'sshd'
-        CommandLine|contains: 'root'
     condition: 1 of selection_*
 falsepositives:
     - Administrative activity directly with root authentication might trigger selection_1 if it's unnecessarily prefixed with "sh -c" or "bash -c"