Shell Execution via Git - Linux
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Sigma rule (View on GitHub)
1title: Shell Execution via Git - Linux
2id: 47b3bbd4-1bf7-48cc-84ab-995362aaa75a
3status: experimental
4description: |
5 Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
6references:
7 - https://gtfobins.github.io/gtfobins/git/#shell
8author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
9date: 2024-09-02
10tags:
11 - attack.execution
12 - attack.t1059
13logsource:
14 category: process_creation
15 product: linux
16detection:
17 selection:
18 ParentImage|endswith: '/git'
19 ParentCommandLine|contains|all:
20 - ' -p '
21 - 'help'
22 CommandLine|contains:
23 - 'bash 0<&1'
24 - 'dash 0<&1'
25 - 'sh 0<&1'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
-
.. / git Shell File write File read Sudo Limited SUID Shell It can be used to break out from restricted environments by spawning an interactive system shell. PAGER='sh -c "exec sh 0<&1"' git -p hel...
Read More
Related rules
- Capsh Shell Invocation - Linux
- Inline Python Execution - Spawn Shell Via OS System Library
- Shell Execution via Rsync - Linux
- Shell Invocation Via Ssh - Linux
- Shell Invocation via Env Command - Linux