title: Suspicious Subsystem for Linux Bash Execution
id: 5edc2273-c26f-406c-83f3-f4d948e740dd
status: experimental
description: Performs execution of specified file, can be used for defensive evasion.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Bash/
author: frack113
date: 2021/11/24
modified: 2022/10/26
tags:
    - attack.defense_evasion
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - bash.exe
            - '-c '
    filter_git:
        - ParentCommandLine|contains:
            - 'C:\Program Files\Git\post-install.bat'
            - 'C:\Program Files (x86)\Git\post-install.bat'
            - 'echo /etc/post-install/*.post'  # needed for occurrences where the *.bat is the grandparent
        - CommandLine|contains: 'echo /etc/post-install/*.post'  # needed for WinEvtLog 4688 events
    condition: selection and not 1 of filter*
falsepositives:
    - Unknown
level: medium