Indirect Inline Command Execution Via Bash.EXE
Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
Sigma rule (View on GitHub)
1title: Indirect Inline Command Execution Via Bash.EXE
2id: 5edc2273-c26f-406c-83f3-f4d948e740dd
3related:
4 - id: 2d22a514-e024-4428-9dba-41505bd63a5b
5 type: similar
6status: test
7description: |
8 Detects execution of Microsoft bash launcher with the "-c" flag.
9 This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
10references:
11 - https://lolbas-project.github.io/lolbas/Binaries/Bash/
12author: frack113
13date: 2021-11-24
14modified: 2023-08-15
15tags:
16 - attack.defense-evasion
17 - attack.t1202
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith:
24 - ':\Windows\System32\bash.exe'
25 - ':\Windows\SysWOW64\bash.exe'
26 - OriginalFileName: 'Bash.exe'
27 selection_cli:
28 CommandLine|contains: ' -c '
29 condition: all of selection_*
30falsepositives:
31 - Unknown
32level: medium
References
-
Bash.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Custom File Open Handler Executes PowerShell
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Findstr Launching .lnk File
- Indirect Command Execution From Script File Via Bash.EXE
- Potential Arbitrary Command Execution Using Msdt.EXE