SigmaHQ · nasbench · Jan 19, 2025 · Jan 18, 2025 · Jan 18, 2025 · Jan 18, 2025
diff --git a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml
@@ -2,11 +2,12 @@ title: Shell Execution via Rsync - Linux
 id: e2326866-609f-4015-aea9-7ec634e8aa04
 status: experimental
 description: |
-    Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
+    Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
 references:
     - https://gtfobins.github.io/gtfobins/rsync/#shell
-author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth
 date: 2024-09-02
+modified: 2025-01-18
 tags:
     - attack.execution
     - attack.t1059
@@ -15,15 +16,29 @@ logsource:
     product: linux
 detection:
     selection_img:
-        Image|endswith: '/rsync'
+        Image|endswith:
+            - '/rsync'
+            - '/rsyncd'
         CommandLine|contains: ' -e '
     selection_cli:
         CommandLine|contains:
-            - 'sh 0<&2 1>&2'
-            - 'sh 1>&2 0<&2'
-    selection_null:
-        CommandLine|contains: '/dev/null'
+            - '/ash '
+            - '/bash '
+            - '/dash '
+            - '/csh '
+            - '/sh '
+            - '/zsh '
+            - '/tcsh '
+            - '/ksh '
+            - "'ash "
+            - "'bash "
+            - "'dash "
+            - "'csh "
+            - "'sh "
+            - "'zsh "
+            - "'tcsh "
+            - "'ksh "
     condition: all of selection_*
 falsepositives:
-    - Unknown
+    - Legitimate cases in which "rsync" is used to execute a shell
 level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml
@@ -0,0 +1,37 @@
+title: Suspicious Invocation of Shell via Rsync
+id: 297241f3-8108-4b3a-8c15-2dda9f844594
+status: experimental
+description: |
+    Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
+references:
+    - https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/
+    - https://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10
+author: Florian Roth
+date: 2025-01-18
+tags:
+    - attack.execution
+    - attack.t1059
+    - attack.t1203
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        ParentImage|endswith:
+            - '/rsync'
+            - '/rsyncd'
+        Image|endswith:
+            - '/ash'
+            - '/bash'
+            - '/csh'
+            - '/dash'
+            - '/ksh'
+            - '/sh'
+            - '/tcsh'
+            - '/zsh'
+    filter_main_expected:
+        CommandLine|contains: ' -e '
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: high