Indirect Inline Command Execution Via Bash.EXE
Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
Sigma rule (View on GitHub)
1title: Indirect Inline Command Execution Via Bash.EXE
2id: 5edc2273-c26f-406c-83f3-f4d948e740dd
3related:
4 - id: 2d22a514-e024-4428-9dba-41505bd63a5b
5 type: similar
6status: experimental
7description: |
8 Detects execution of Microsoft bash launcher with the "-c" flag.
9 This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
10references:
11 - https://lolbas-project.github.io/lolbas/Binaries/Bash/
12author: frack113
13date: 2021/11/24
14modified: 2023/08/15
15tags:
16 - attack.defense_evasion
17 - attack.t1202
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith:
24 - ':\Windows\System32\bash.exe'
25 - ':\Windows\SysWOW64\bash.exe'
26 - OriginalFileName: 'Bash.exe'
27 selection_cli:
28 CommandLine|contains: ' -c '
29 condition: all of selection_*
30falsepositives:
31 - Unknown
32level: medium
References
-
Executes calc.exe from bash.exe bash.exe -c calc.exe Use casePerforms execution of specified file, can be used as a defensive evasion. Privileges requiredUser Operating systemsWindows 10 ATT&CK® te...
Read More
Related rules
- Indirect Command Execution From Script File Via Bash.EXE
- Use of Setres.exe
- Findstr Launching .lnk File
- Renamed PingCastle Binary Execution
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE