
Summary
This detection rule is focused on identifying the execution of the Bash shell on Windows systems, specifically looking for instances where the command is executed with the '-c' flag. The Bash shell, typically associated with UNIX-like operating systems, can also run on Windows through tools like Git Bash or the Windows Subsystem for Linux (WSL). In security assessments, the use of Bash on Windows is flagged since it can be used as an execution proxy, allowing attackers to execute arbitrary commands maliciously. This rule utilizes Splunk queries to filter and gather execution events of 'bash.exe', applying regular expressions to pinpoint command-line parameters where '-c' is present. By leveraging Windows Event ID 4688, which logs process creation events, it gathers relevant data from endpoint sources to determine if Bash is being executed in a suspicious context. The rule excludes benign occurrences by limiting the count of events captured to fewer than five within a defined time span.
Categories
- Endpoint
- Windows
Data Sources
- Process
- Windows Registry
ATT&CK Techniques
- T1218
- T1216
Created: 2024-02-09