title: Suspicious Subsystem for Linux Bash Execution
id: 5edc2273-c26f-406c-83f3-f4d948e740dd
status: experimental
description: Performs execution of specified file, can be used as a defensive evasion. 
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Bash/
tags:
    - attack.defense_evasion
    - attack.t1202
author: frack113
date: 2021/11/24
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - bash.exe
            - '-c '
    condition: selection
falsepositives:
    - Unknown
level: medium