← Library
sigmaDRL-1.1from SigmaHQ/sigma

Indirect Inline Command Execution Via Bash.EXE

Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.

Quality
84
FP risk
Forks
0
Views
0
ATT&CK techniques
T1202
Rule sourcerules/windows/process_creation/proc_creation_win_bash_command_execution.yml
title: Indirect Inline Command Execution Via Bash.EXE
id: 5edc2273-c26f-406c-83f3-f4d948e740dd
related:
    - id: 2d22a514-e024-4428-9dba-41505bd63a5b
      type: similar
status: test
description: |
    Detects execution of Microsoft bash launcher with the "-c" flag.
    This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Bash/
author: frack113
date: 2021-11-24
modified: 2023-08-15
tags:
    - attack.defense-evasion
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - ':\Windows\System32\bash.exe'
              - ':\Windows\SysWOW64\bash.exe'
        - OriginalFileName: 'Bash.exe'
    selection_cli:
        CommandLine|contains: ' -c '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium