Shell Execution via Rsync - Linux
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Sigma rule (View on GitHub)
1title: Shell Execution via Rsync - Linux
2id: e2326866-609f-4015-aea9-7ec634e8aa04
3status: experimental
4description: |
5 Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
6references:
7 - https://gtfobins.github.io/gtfobins/rsync/#shell
8author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth
9date: 2024-09-02
10modified: 2025-01-18
11tags:
12 - attack.execution
13 - attack.t1059
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection_img:
19 Image|endswith:
20 - '/rsync'
21 - '/rsyncd'
22 CommandLine|contains: ' -e '
23 selection_cli:
24 CommandLine|contains:
25 - '/ash '
26 - '/bash '
27 - '/dash '
28 - '/csh '
29 - '/sh '
30 - '/zsh '
31 - '/tcsh '
32 - '/ksh '
33 - "'ash "
34 - "'bash "
35 - "'dash "
36 - "'csh "
37 - "'sh "
38 - "'zsh "
39 - "'tcsh "
40 - "'ksh "
41 condition: all of selection_*
42falsepositives:
43 - Legitimate cases in which "rsync" is used to execute a shell
44level: high
References
Related rules
- Suspicious Invocation of Shell via Rsync
- Renamed PingCastle Binary Execution
- HackTool - Stracciatella Execution
- Python Spawning Pretty TTY Via PTY Module
- Suspicious Greedy Compression Using Rar.EXE