Indirect Inline Command Execution Via Bash.EXE

Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.

Sigma rule (View on GitHub)

 1title: Indirect Inline Command Execution Via Bash.EXE
 2id: 5edc2273-c26f-406c-83f3-f4d948e740dd
 3related:
 4    - id: 2d22a514-e024-4428-9dba-41505bd63a5b
 5      type: similar
 6status: test
 7description: |
 8    Detects execution of Microsoft bash launcher with the "-c" flag.
 9    This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.    
10references:
11    - https://lolbas-project.github.io/lolbas/Binaries/Bash/
12author: frack113
13date: 2021-11-24
14modified: 2023-08-15
15tags:
16    - attack.defense-evasion
17    - attack.t1202
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith:
24              - ':\Windows\System32\bash.exe'
25              - ':\Windows\SysWOW64\bash.exe'
26        - OriginalFileName: 'Bash.exe'
27    selection_cli:
28        CommandLine|contains: ' -c '
29    condition: all of selection_*
30falsepositives:
31    - Unknown
32level: medium

References

Related rules

to-top