Shell Execution via Rsync - Linux

Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Sigma rule (View on GitHub)

 1title: Shell Execution via Rsync - Linux
 2id: e2326866-609f-4015-aea9-7ec634e8aa04
 3status: experimental
 4description: |
 5        Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
 6references:
 7    - https://gtfobins.github.io/gtfobins/rsync/#shell
 8author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth
 9date: 2024-09-02
10modified: 2025-01-18
11tags:
12    - attack.execution
13    - attack.t1059
14logsource:
15    category: process_creation
16    product: linux
17detection:
18    selection_img:
19        Image|endswith:
20            - '/rsync'
21            - '/rsyncd'
22        CommandLine|contains: ' -e '
23    selection_cli:
24        CommandLine|contains:
25            - '/ash '
26            - '/bash '
27            - '/dash '
28            - '/csh '
29            - '/sh '
30            - '/zsh '
31            - '/tcsh '
32            - '/ksh '
33            - "'ash "
34            - "'bash "
35            - "'dash "
36            - "'csh "
37            - "'sh "
38            - "'zsh "
39            - "'tcsh "
40            - "'ksh "
41    condition: all of selection_*
42falsepositives:
43    - Legitimate cases in which "rsync" is used to execute a shell
44level: high

References

Related rules

to-top