Skip to content

Add Celery worker shell-spawn detection (rev. of #6108)#6120

Open
Batina-Jennifer wants to merge 5 commits into
SigmaHQ:masterfrom
Batina-Jennifer:master
Open

Add Celery worker shell-spawn detection (rev. of #6108)#6120
Batina-Jennifer wants to merge 5 commits into
SigmaHQ:masterfrom
Batina-Jennifer:master

Conversation

@Batina-Jennifer

Copy link
Copy Markdown

Summary of the Pull Request

Re-submitting the Celery worker shell-spawn detection rule after addressing review feedback on #6108 . The rule detects a system shell (sh/bash/dash) spawned directly by a Celery worker process, which is a strong indicator of untrusted input reaching an unsanitized os.system or subprocess(shell=True) call — e.g. via an indirect prompt injection payload in an LLM agent task. Original feedback was that the rule didn't follow repo conventions and lacked a real log sample; both are now fixed, and the attached auditd log sample below shows the rule firing against a live PoC.

Changelog

new: System Shell Spawned From Celery Worker Process

Example Log Event

Raw auditd EXECVE record (celery worker startup):
type=EXECVE msg=audit(1783593584.754:952): argc=6 a0="/home/jenny/celery_test/venv/bin/python3" a1="/home/jenny/celery_test/venv/bin/celery" a2="-A" a3="app" a4="worker" a5="--loglevel=info"
...comm="celery" exe="/usr/bin/python3.12" ppid=8500 pid=10340...

Raw auditd EXECVE record (shell spawned by the worker):
type=EXECVE msg=audit(1783593603.674:960): argc=4 a0="sh" a1="-c" a2="--" a3=6563686F2027506970656C696E6520646174613A20272626206563686F20446174613B20756E616D65202D613B20656E763B206964207C2067726570202D696F4520275B612D7A302D395B3A73706163653A5D5D2B27
...exe="/usr/bin/dash" ppid=10342 (child of the celery worker, pid 10340, via an untracked ForkPoolWorker fork)...

The a3 field above is auditd's hex-encoded argv string; decoded (echo "<a3_value>" | xxd -r -p) it reads:
echo 'Pipeline Data: ' && echo Data; uname -a; env; id | grep -ioE '[a-z0-9[:space:]]+'

The two log events show a Celery worker (python3.12, pid 10340) forking a shell (/bin/dash) that executes the injected command (echo 'Pipeline Data:....'). This rule is built to catch exactly this, as captured from the PoC.

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

This Sigma rule detects potential indirect prompt injection manipulation and data exfiltration attempts by monitoring specific command line patterns and parent images in a Linux environment.
@github-actions github-actions Bot added Rules Review Needed The PR requires review Linux Pull request add/update linux related rules labels Jul 9, 2026
Updated the description formatting for clarity.
Removed unnecessary fields from the Celery worker shell spawn rule.

@nasbench nasbench left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM. Just some small suggestions

Comment thread rules/linux/process_creation/proc_creation_lnx_celery_worker_shell_spawn.yml Outdated
Comment thread rules/linux/process_creation/proc_creation_lnx_celery_worker_shell_spawn.yml Outdated
Comment thread rules/linux/process_creation/proc_creation_lnx_celery_worker_shell_spawn.yml Outdated
@nasbench nasbench added this to the Sigma-August-Release-26 milestone Jul 10, 2026
Co-authored-by: Nasreddine Bencherchali <nbencher@cisco.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Linux Pull request add/update linux related rules Review Needed The PR requires review Rules

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants