Skip to content
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
title: Potential Arbitrary Command Execution Via Git Config Override
id: b551e93d-e3f1-4076-92eb-dd2dbce9e34d
status: experimental
description: |
Detects execution of "git.exe" with an inline configuration override ("-c") that points a code-execution configuration directive (such as "core.sshCommand", "core.fsmonitor", "core.pager", "core.editor" or "diff.external") at a command interpreter, as well as the use of the "ext::" transport.
Git executes the value of several configuration directives as external programs. This allows a threat actor to abuse the trusted "git.exe" binary as a proxy to run arbitrary commands and evade detection (indirect command execution).
Note that the closely related abuse where the payload is stored inside a repository's ".git/config" file (e.g. "core.fsmonitor") and triggered when an editor or IDE automatically runs "git status" is not observable on the "git.exe" command line and is therefore out of scope for this command-line based rule.
references:
- https://github.com/justinsteven/advisories/blob/main/2022_git_buried_bare_repos_and_fsmonitor_various_abuses.md
- https://www.cobalt.io/blog/red-team-technique-exploiting-git-fsmonitor-for-initial-access
- https://github.com/RootUp/git-fsmonitor
- https://gtfobins.github.io/gtfobins/git/
author: Ashish Pulivarthy (ashish-cybersec)
date: 2026-07-02
tags:
- attack.execution
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\git.exe'
- OriginalFileName: 'git.exe'
selection_config_keys:
CommandLine|contains:
- 'core.sshCommand='
- 'core.fsmonitor='
- 'core.pager='
- 'core.editor='
- 'sequence.editor='
- 'diff.external='
selection_interpreter:
CommandLine|contains:
- 'cmd '
- 'cmd.exe'
- 'cmd /'
- 'powershell'
- 'pwsh'
- 'mshta'
- 'rundll32'
- 'regsvr32'
- 'wscript'
- 'cscript'
- 'bitsadmin'
- 'certutil'
- '.bat'
- '.cmd'
- '.ps1'
- '.vbs'
- '.hta'
selection_ext_transport:
CommandLine|contains: 'ext::'
condition: selection_img and ((selection_config_keys and selection_interpreter) or selection_ext_transport)
falsepositives:
- Rare legitimate use of a git configuration directive that points to a scripting interpreter (e.g. a custom pager or editor wrapper). Baseline before enabling.
level: medium
Loading