diff --git a/rules/windows/process_creation/proc_creation_win_git_config_command_execution.yml b/rules/windows/process_creation/proc_creation_win_git_config_command_execution.yml new file mode 100644 index 00000000000..d0fcaadfe6a --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_git_config_command_execution.yml @@ -0,0 +1,58 @@ +title: Potential Arbitrary Command Execution Via Git Config Override +id: b551e93d-e3f1-4076-92eb-dd2dbce9e34d +status: experimental +description: | + Detects execution of "git.exe" with an inline configuration override ("-c") that points a code-execution configuration directive (such as "core.sshCommand", "core.fsmonitor", "core.pager", "core.editor" or "diff.external") at a command interpreter, as well as the use of the "ext::" transport. + Git executes the value of several configuration directives as external programs. This allows a threat actor to abuse the trusted "git.exe" binary as a proxy to run arbitrary commands and evade detection (indirect command execution). + Note that the closely related abuse where the payload is stored inside a repository's ".git/config" file (e.g. "core.fsmonitor") and triggered when an editor or IDE automatically runs "git status" is not observable on the "git.exe" command line and is therefore out of scope for this command-line based rule. +references: + - https://github.com/justinsteven/advisories/blob/c6754fdb255aed503a3cd40023c54419f820c3b3/2022_git_buried_bare_repos_and_fsmonitor_various_abuses.md + - https://www.cobalt.io/blog/red-team-technique-exploiting-git-fsmonitor-for-initial-access + - https://github.com/RootUp/git-fsmonitor + - https://gtfobins.github.io/gtfobins/git/ +author: Ashish Pulivarthy (ashish-cybersec) +date: 2026-07-02 +tags: + - attack.execution + - attack.stealth + - attack.t1202 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\git.exe' + - OriginalFileName: 'git.exe' + selection_config_keys: + CommandLine|contains: + - 'core.sshCommand=' + - 'core.fsmonitor=' + - 'core.pager=' + - 'core.editor=' + - 'sequence.editor=' + - 'diff.external=' + selection_interpreter: + CommandLine|contains: + - 'cmd ' + - 'cmd.exe' + - 'cmd /' + - 'powershell' + - 'pwsh' + - 'mshta' + - 'rundll32' + - 'regsvr32' + - 'wscript' + - 'cscript' + - 'bitsadmin' + - 'certutil' + - '.bat' + - '.cmd' + - '.ps1' + - '.vbs' + - '.hta' + selection_ext_transport: + CommandLine|contains: 'ext::' + condition: selection_img and ((selection_config_keys and selection_interpreter) or selection_ext_transport) +falsepositives: + - Rare legitimate use of a git configuration directive that points to a scripting interpreter (e.g. a custom pager or editor wrapper). Baseline before enabling. +level: medium