Suspicious Invocation of Shell via Rsync

Rule Info

Name
Suspicious Invocation of Shell via Rsync
Author
Florian Roth
Description
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
Date
2025-01-18 00:00:00
Modified
None
Id
297241f3-8108-4b3a-8c15-2dda9f844594
Tags
attack.execution attack.t1059 attack.t1203
Type
Community Rule

Rule History

Author
Title
Date
Commit
Florian Roth
Merge PR #5163 from @Neo23x0 - Add/Update Rsync Linux Rules
2025-01-19