Detectionmediumtest

Indirect Inline Command Execution Via Bash.EXE

Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Wed Nov 24Updated Tue Aug 155edc2273-c26f-406c-83f3-f4d948e740ddwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith:
              - ':\Windows\System32\bash.exe'
              - ':\Windows\SysWOW64\bash.exe'
        - OriginalFileName: 'Bash.exe'
    selection_cli:
        CommandLine|contains: ' -c '
    condition: all of selection_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

lolbas-project.github.io

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1202 · Indirect Command Execution

Related Rules

SimilarDetectionmedium

Indirect Command Execution From Script File Via Bash.EXE

Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

5edc2273-c26f-406c-83f3-f4d948e740dd

Status

test

Level

medium

Type

Detection

Created

Wed Nov 24

Modified

Tue Aug 15

Author

François Hubaut

Path

rules/windows/process_creation/proc_creation_win_bash_command_execution.yml

Raw Tags

attack.defense-evasionattack.t1202

View on GitHub