Indirect Command Execution From Script File Via Bash.EXE

calendar Mar 11, 2024 · attack.defense_evasion attack.t1202  ·
Share on: linkedin copy

Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.

Sigma rule (View on GitHub)

 1title: Indirect Command Execution From Script File Via Bash.EXE
 2id: 2d22a514-e024-4428-9dba-41505bd63a5b
 3related:
 4    - id: 5edc2273-c26f-406c-83f3-f4d948e740dd
 5      type: similar
 6status: experimental
 7description: |
 8    Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.
 9    This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.    
10references:
11    - https://lolbas-project.github.io/lolbas/Binaries/Bash/
12    - https://linux.die.net/man/1/bash
13    - Internal Research
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023/08/15
16tags:
17    - attack.defense_evasion
18    - attack.t1202
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        - Image|endswith:
25              - ':\Windows\System32\bash.exe'
26              - ':\Windows\SysWOW64\bash.exe'
27        - OriginalFileName: 'Bash.exe'
28    filter_main_cli_flag:
29        CommandLine|contains:
30            # Note: we're not interested in flags being passed first
31            - 'bash.exe -'
32            - 'bash -'
33    filter_main_no_cli:
34        CommandLine: null
35    filter_main_empty:
36        CommandLine: ''
37    filter_main_no_flag:
38        CommandLine:
39            - 'bash.exe'
40            - 'bash'
41    condition: selection and not 1 of filter_main_*
42falsepositives:
43    - Unknown
44level: medium

References

Related rules

to-top