Suspicious Invocation of Shell via Rsync
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
Sigma rule (View on GitHub)
1title: Suspicious Invocation of Shell via Rsync
2id: 297241f3-8108-4b3a-8c15-2dda9f844594
3status: experimental
4description: |
5 Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
6references:
7 - https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/
8 - https://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10
9author: Florian Roth
10date: 2025-01-18
11tags:
12 - attack.execution
13 - attack.t1059
14 - attack.t1203
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection:
20 ParentImage|endswith:
21 - '/rsync'
22 - '/rsyncd'
23 Image|endswith:
24 - '/ash'
25 - '/bash'
26 - '/csh'
27 - '/dash'
28 - '/ksh'
29 - '/sh'
30 - '/tcsh'
31 - '/zsh'
32 filter_main_expected:
33 CommandLine|contains: ' -e '
34 condition: selection and not 1 of filter_main_*
35falsepositives:
36 - Unknown
37level: high
References
Related rules
- Suspicious Browser Child Process - MacOS
- Shell Execution via Rsync - Linux
- CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
- Renamed PingCastle Binary Execution
- HackTool - Stracciatella Execution