Techniques
Sample rules
Shell Execution via Rsync - Linux
- source: sigma
- technicques:
- t1059
Description
Detects the use of the “rsync” utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- '/ash '
- '/bash '
- '/dash '
- '/csh '
- '/sh '
- '/zsh '
- '/tcsh '
- '/ksh '
- '''ash '
- '''bash '
- '''dash '
- '''csh '
- '''sh '
- '''zsh '
- '''tcsh '
- '''ksh '
selection_img:
CommandLine|contains: ' -e '
Image|endswith:
- /rsync
- /rsyncd