Adversaries may use rsync to invoke a shell and execute arbitrary commands, leveraging the utility for command and control or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control channels or lateral movement tactics.
Detection Rule
title: Suspicious Invocation of Shell via Rsync
id: 297241f3-8108-4b3a-8c15-2dda9f844594
status: experimental
description: |
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
references:
- https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/
- https://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10
author: Florian Roth
date: 2025-01-18
tags:
- attack.execution
- attack.t1059
- attack.t1203
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith:
- '/rsync'
- '/rsyncd'
Image|endswith:
- '/ash'
- '/bash'
- '/csh'
- '/dash'
- '/ksh'
- '/sh'
- '/tcsh'
- '/zsh'
filter_main_expected:
CommandLine|contains: ' -e '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where (((ParentProcessName endswith "/rsync" or ParentProcessName endswith "/rsyncd") or (ActingProcessName endswith "/rsync" or ActingProcessName endswith "/rsyncd")) and (TargetProcessName endswith "/ash" or TargetProcessName endswith "/bash" or TargetProcessName endswith "/csh" or TargetProcessName endswith "/dash" or TargetProcessName endswith "/ksh" or TargetProcessName endswith "/sh" or TargetProcessName endswith "/tcsh" or TargetProcessName endswith "/zsh")) and (not(TargetProcessCommandLine contains " -e "))Scenario: Scheduled System Backup Using Rsync with Shell Invocation
Description: A system administrator schedules a nightly backup using rsync with a shell command to compress or move files.
Filter/Exclusion: process.parent_process_name = "crontab" or process.command_line LIKE '%/usr/bin/crontab%'
Scenario: Automated Deployment Pipeline Using Rsync and Shell Script
Description: A CI/CD pipeline uses rsync to transfer files to a staging server, followed by a shell script to deploy the application.
Filter/Exclusion: process.parent_process_name = "jenkins" or process.command_line LIKE '%/opt/jenkins/jobs/%'
Scenario: User-Initiated File Transfer with Shell Command for Post-Processing
Description: A user runs rsync to transfer files and then uses a shell command to process or analyze the data.
Filter/Exclusion: process.user = "normal_user" and process.command_line LIKE '%rsync --exclude=%'
Scenario: System Maintenance Task Involving Rsync and Shell for Log Rotation
Description: A maintenance script uses rsync to archive logs and then runs a shell command to rotate or compress them.
Filter/Exclusion: process.command_line LIKE '%logrotate%' or process.parent_process_name = "systemd"
Scenario: Security Tool Integration Using Rsync with Shell for Data Sync
Description: A security tool like OSSEC or Snort uses rsync to sync logs and then runs a shell command to parse or alert on them.
Filter/Exclusion: process.command_line LIKE '%ossec%' or process.command_line LIKE '%snort%'