Shell Execution via Git - Linux

Original Source: [Sigma source]
Title: Shell Execution via Git - Linux
Status: experimental
Description:Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
References:
  -https://gtfobins.github.io/gtfobins/git/#shell
 Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
Date: 2024-09-02
modified:None
Tags:
  • -'attack.execution'
  • -'attack.t1059'
Logsource:
  • category: process_creation
  • product: linux
Detection:
  selection:
    ParentImage|endswith: '/git'
    ParentCommandLine|contains|all:
      -' -p '
      -'help'

    CommandLine|contains:
      -'bash 0<&1'
      -'dash 0<&1'
      -'sh 0<&1'

  condition:selection
Falsepositives:
  -Unknown
Level: high

© 2024 DetectionCode Website. All Rights Reserved.