Redis server wrote suspicious module file

Goal

A potentially malicious Redis module has been saved.

Strategy

One of the primary methods for compromising vulnerable Redis deployments is to use the SLAVEOF command (now renamed to REPLICAOF) to modify the replication settings of a Redis instance to join it to an attacker controlled Redis cluster. From there, the attacker will push a malicious Redis module to the compromised Redis node using the Redis cluster replication capabilities. This is used to achieve command execution on the compromised Redis instance.

Triage and response

  1. Determine if the Redis module is authorized on the host.
  2. If the activity is not authorized, verify if the instance has been joined to an attacker controlled cluster by running the CLUSTER INFO command.
  3. If the instance has been compromised, initiate incident response procedures.

Requires Agent version 7.27 or greater