Adversaries may execute shell commands via Rsync to exfiltrate data or establish persistence on Linux systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activities or data exfiltration attempts leveraging Rsync.
Detection Rule
title: Shell Execution via Rsync - Linux
id: e2326866-609f-4015-aea9-7ec634e8aa04
status: experimental
description: |
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/rsync/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth
date: 2024-09-02
modified: 2025-01-18
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/rsync'
- '/rsyncd'
CommandLine|contains: ' -e '
selection_cli:
CommandLine|contains:
- '/ash '
- '/bash '
- '/dash '
- '/csh '
- '/sh '
- '/zsh '
- '/tcsh '
- '/ksh '
- "'ash "
- "'bash "
- "'dash "
- "'csh "
- "'sh "
- "'zsh "
- "'tcsh "
- "'ksh "
condition: all of selection_*
falsepositives:
- Legitimate cases in which "rsync" is used to execute a shell
level: high
imProcessCreate
| where ((TargetProcessName endswith "/rsync" or TargetProcessName endswith "/rsyncd") and TargetProcessCommandLine contains " -e ") and (TargetProcessCommandLine contains "/ash " or TargetProcessCommandLine contains "/bash " or TargetProcessCommandLine contains "/dash " or TargetProcessCommandLine contains "/csh " or TargetProcessCommandLine contains "/sh " or TargetProcessCommandLine contains "/zsh " or TargetProcessCommandLine contains "/tcsh " or TargetProcessCommandLine contains "/ksh " or TargetProcessCommandLine contains "'ash " or TargetProcessCommandLine contains "'bash " or TargetProcessCommandLine contains "'dash " or TargetProcessCommandLine contains "'csh " or TargetProcessCommandLine contains "'sh " or TargetProcessCommandLine contains "'zsh " or TargetProcessCommandLine contains "'tcsh " or TargetProcessCommandLine contains "'ksh ")Scenario: Scheduled System Backup Using Rsync
Description: A legitimate scheduled backup job uses rsync to copy data from one server to another.
Filter/Exclusion: Check for --exclude patterns or job names containing backup or system_backup in the command line arguments.
Scenario: Admin Task to Synchronize User Home Directories
Description: An admin uses rsync to synchronize user home directories across multiple servers during a routine maintenance task.
Filter/Exclusion: Filter commands that include --exclude=/home/* or contain admin_sync in the command line.
Scenario: Log File Rotation Using Rsync
Description: A log rotation script uses rsync to move old log files to an archive directory.
Filter/Exclusion: Filter commands that include --exclude=*.log or reference directories like /var/log/.
Scenario: Development Team Using Rsync for Code Deployment
Description: A DevOps team uses rsync to deploy code to a staging environment as part of a CI/CD pipeline.
Filter/Exclusion: Filter commands that include --exclude=*.git or reference paths like /opt/app/deploy/.
Scenario: Database Replication Using Rsync
Description: A database administrator uses rsync to replicate database files between primary and secondary servers.
Filter/Exclusion: Filter commands that include --exclude=db_data or reference paths like /var/lib/mysql/.