Shell Execution via Rsync - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Sigma rule (View on GitHub)
1title: Shell Execution via Rsync - Linux
2id: e2326866-609f-4015-aea9-7ec634e8aa04
3status: experimental
4description: |
5 Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
6references:
7 - https://gtfobins.github.io/gtfobins/rsync/#shell
8author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
9date: 2024-09-02
10tags:
11 - attack.execution
12 - attack.t1059
13logsource:
14 category: process_creation
15 product: linux
16detection:
17 selection_img:
18 Image|endswith: '/rsync'
19 CommandLine|contains: ' -e '
20 selection_cli:
21 CommandLine|contains:
22 - 'sh 0<&2 1>&2'
23 - 'sh 1>&2 0<&2'
24 selection_null:
25 CommandLine|contains: '/dev/null'
26 condition: all of selection_*
27falsepositives:
28 - Unknown
29level: high
References
-
.. / rsync Shell SUID Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. rsync -e 'sh -c "sh 0 &2"' 127.0.0.1:/dev/null SUID If the binary ...
Read More
Related rules
- Capsh Shell Invocation - Linux
- Inline Python Execution - Spawn Shell Via OS System Library
- Shell Execution via Git - Linux
- Shell Invocation Via Ssh - Linux
- Shell Invocation via Env Command - Linux