Update proc_creation_lnx_rsync_shell_spawn.yml

SigmaHQ · Jan 19, 2025 · 7b8c52b · 7b8c52b
1 parent b82fd22
commit 7b8c52b
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml
@@ -2,7 +2,7 @@ title: Suspicious Invocation of Shell via Rsync
 id: 297241f3-8108-4b3a-8c15-2dda9f844594
 status: experimental
 description: |
-    Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084.This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
+    Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
 references:
     - https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/
     - https://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10
@@ -29,9 +29,9 @@ detection:
             - '/sh'
             - '/tcsh'
             - '/zsh'
-    filter_expected:
+    filter_main_expected:
         CommandLine|contains: ' -e '
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown
 level: high