Redis server wrote suspicious module file
Goal
A potentially malicious Redis module has been saved.
Strategy
One of the primary methods for compromising vulnerable Redis deployments is to use the SLAVEOF
command (now renamed to REPLICAOF
) to modify the replication settings of a Redis instance to join it to an attacker controlled Redis cluster. From there, the attacker will push a malicious Redis module to the compromised Redis node using the Redis cluster replication capabilities. This is used to achieve command execution on the compromised Redis instance.
Triage and response
- Determine if the Redis module is authorized on the host.
- If the activity is not authorized, verify if the instance has been joined to an attacker controlled cluster by running the
CLUSTER INFO
command. - If the instance has been compromised, initiate incident response procedures.
Requires Agent version 7.27 or greater