From b326d166dcd2ee2f7dce36fb730e433e8fe15a25 Mon Sep 17 00:00:00 2001 From: Ashish Pulivarthy Date: Thu, 2 Jul 2026 12:51:37 +0530 Subject: [PATCH 1/2] Add rule: arbitrary command execution via git config override --- ...ation_win_git_config_command_execution.yml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_git_config_command_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_git_config_command_execution.yml b/rules/windows/process_creation/proc_creation_win_git_config_command_execution.yml new file mode 100644 index 00000000000..9ce12edfba2 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_git_config_command_execution.yml @@ -0,0 +1,58 @@ +title: Potential Arbitrary Command Execution Via Git Config Override +id: b551e93d-e3f1-4076-92eb-dd2dbce9e34d +status: experimental +description: | + Detects execution of "git.exe" with an inline configuration override ("-c") that points a code-execution configuration directive (such as "core.sshCommand", "core.fsmonitor", "core.pager", "core.editor" or "diff.external") at a command interpreter, as well as the use of the "ext::" transport. + Git executes the value of several configuration directives as external programs. This allows a threat actor to abuse the trusted "git.exe" binary as a proxy to run arbitrary commands and evade detection (indirect command execution). + Note that the closely related abuse where the payload is stored inside a repository's ".git/config" file (e.g. "core.fsmonitor") and triggered when an editor or IDE automatically runs "git status" is not observable on the "git.exe" command line and is therefore out of scope for this command-line based rule. +references: + - https://github.com/justinsteven/advisories/blob/main/2022_git_buried_bare_repos_and_fsmonitor_various_abuses.md + - https://www.cobalt.io/blog/red-team-technique-exploiting-git-fsmonitor-for-initial-access + - https://github.com/RootUp/git-fsmonitor + - https://gtfobins.github.io/gtfobins/git/ +author: Ashish Pulivarthy (ashish-cybersec) +date: 2026-07-02 +tags: + - attack.execution + - attack.stealth + - attack.t1202 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\git.exe' + - OriginalFileName: 'git.exe' + selection_config_keys: + CommandLine|contains: + - 'core.sshCommand=' + - 'core.fsmonitor=' + - 'core.pager=' + - 'core.editor=' + - 'sequence.editor=' + - 'diff.external=' + selection_interpreter: + CommandLine|contains: + - 'cmd ' + - 'cmd.exe' + - 'cmd /' + - 'powershell' + - 'pwsh' + - 'mshta' + - 'rundll32' + - 'regsvr32' + - 'wscript' + - 'cscript' + - 'bitsadmin' + - 'certutil' + - '.bat' + - '.cmd' + - '.ps1' + - '.vbs' + - '.hta' + selection_ext_transport: + CommandLine|contains: 'ext::' + condition: selection_img and ((selection_config_keys and selection_interpreter) or selection_ext_transport) +falsepositives: + - Rare legitimate use of a git configuration directive that points to a scripting interpreter (e.g. a custom pager or editor wrapper). Baseline before enabling. +level: medium From bc1acf876b10fa530813fcbadec2ac3df2adb3cc Mon Sep 17 00:00:00 2001 From: Ashish Pulivarthy Date: Thu, 2 Jul 2026 23:59:24 +0530 Subject: [PATCH 2/2] Fix reference URL in Git config command execution rule Updated reference URL for the advisory on Git configuration abuse. --- .../proc_creation_win_git_config_command_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_git_config_command_execution.yml b/rules/windows/process_creation/proc_creation_win_git_config_command_execution.yml index 9ce12edfba2..d0fcaadfe6a 100644 --- a/rules/windows/process_creation/proc_creation_win_git_config_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_git_config_command_execution.yml @@ -6,7 +6,7 @@ description: | Git executes the value of several configuration directives as external programs. This allows a threat actor to abuse the trusted "git.exe" binary as a proxy to run arbitrary commands and evade detection (indirect command execution). Note that the closely related abuse where the payload is stored inside a repository's ".git/config" file (e.g. "core.fsmonitor") and triggered when an editor or IDE automatically runs "git status" is not observable on the "git.exe" command line and is therefore out of scope for this command-line based rule. references: - - https://github.com/justinsteven/advisories/blob/main/2022_git_buried_bare_repos_and_fsmonitor_various_abuses.md + - https://github.com/justinsteven/advisories/blob/c6754fdb255aed503a3cd40023c54419f820c3b3/2022_git_buried_bare_repos_and_fsmonitor_various_abuses.md - https://www.cobalt.io/blog/red-team-technique-exploiting-git-fsmonitor-for-initial-access - https://github.com/RootUp/git-fsmonitor - https://gtfobins.github.io/gtfobins/git/