Suspicious Invocation of Shell via Rsync

Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.

Sigma rule (View on GitHub)

 1title: Suspicious Invocation of Shell via Rsync
 2id: 297241f3-8108-4b3a-8c15-2dda9f844594
 3status: experimental
 4description: |
 5        Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
 6references:
 7    - https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/
 8    - https://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10
 9author: Florian Roth
10date: 2025-01-18
11tags:
12    - attack.execution
13    - attack.t1059
14    - attack.t1203
15logsource:
16    category: process_creation
17    product: linux
18detection:
19    selection:
20        ParentImage|endswith:
21            - '/rsync'
22            - '/rsyncd'
23        Image|endswith:
24            - '/ash'
25            - '/bash'
26            - '/csh'
27            - '/dash'
28            - '/ksh'
29            - '/sh'
30            - '/tcsh'
31            - '/zsh'
32    filter_main_expected:
33        CommandLine|contains: ' -e '
34    condition: selection and not 1 of filter_main_*
35falsepositives:
36    - Unknown
37level: high

References

Related rules

to-top