Sigma rules · CVE-2017-16548

Home/CVE-2017-16548/Sigma rules

Sigma

Sigma rules for CVE-2017-16548

2 rules · scoped to cve · back to CVE-2017-16548

Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

◈

Detection rules

2 of 2

direct high

Shell Execution via Rsync - Linux

Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

status experimental author Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth id e2326866-609f-4015-aea9-7ec634e8aa04 license Sigma · DRL-1.1

view Sigma YAML

title: Shell Execution via Rsync - Linux
id: e2326866-609f-4015-aea9-7ec634e8aa04
status: experimental
description: |
    Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/rsync/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth
date: 2024-09-02
modified: 2025-01-18
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith:
            - '/rsync'
            - '/rsyncd'
        CommandLine|contains: ' -e '
    selection_cli:
        CommandLine|contains:
            - '/ash '
            - '/bash '
            - '/dash '
            - '/csh '
            - '/sh '
            - '/zsh '
            - '/tcsh '
            - '/ksh '
            - "'ash "
            - "'bash "
            - "'dash "
            - "'csh "
            - "'sh "
            - "'zsh "
            - "'tcsh "
            - "'ksh "
    condition: all of selection_*
falsepositives:
    - Legitimate cases in which "rsync" is used to execute a shell
level: high

direct high

Suspicious Invocation of Shell via Rsync

Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.

status experimental author Florian Roth id 297241f3-8108-4b3a-8c15-2dda9f844594 license Sigma · DRL-1.1

view Sigma YAML

title: Suspicious Invocation of Shell via Rsync
id: 297241f3-8108-4b3a-8c15-2dda9f844594
status: experimental
description: |
    Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
references:
    - https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/
    - https://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10
author: Florian Roth
date: 2025-01-18
tags:
    - attack.execution
    - attack.t1059
    - attack.t1203
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        ParentImage|endswith:
            - '/rsync'
            - '/rsyncd'
        Image|endswith:
            - '/ash'
            - '/bash'
            - '/csh'
            - '/dash'
            - '/ksh'
            - '/sh'
            - '/tcsh'
            - '/zsh'
    filter_main_expected:
        CommandLine|contains: ' -e '
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

Showing 1-2 of 2

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin