Redis server wrote suspicious module file

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1129-shared-modules

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

What happened

The file {{ @file.path }} was written by {{ @process.comm }} and could be a malicious module used to achieve command execution.

Goal

Detect Redis writing a malicious module.

Strategy

One of the primary methods for compromising vulnerable Redis deployments is to use the SLAVEOF command (now renamed to REPLICAOF) to modify the replication settings of a Redis instance to join it to an attacker controlled Redis cluster. From there, the attacker will push a malicious Redis module to the compromised Redis node using the Redis cluster replication capabilities. This is used to achieve command execution on the compromised Redis instance.

Triage and response

  1. Determine if the Redis module is authorized on the host.
  2. If the activity is not authorized, verify if the instance has been joined to an attacker controlled cluster by running the CLUSTER INFO command.
  3. If the instance has been compromised, initiate incident response procedures.

Requires Agent version 7.27 or greater