Adversaries may execute shell commands via Git to exfiltrate data or establish persistence on Linux systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activities or data theft attempts leveraging Git as a covert channel.
Detection Rule
title: Shell Execution via Git - Linux
id: 47b3bbd4-1bf7-48cc-84ab-995362aaa75a
status: test
description: |
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/git/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/git'
ParentCommandLine|contains|all:
- ' -p '
- 'help'
CommandLine|contains:
- 'bash 0<&1'
- 'dash 0<&1'
- 'sh 0<&1'
condition: selection
falsepositives:
- Unknown
level: high
imProcessCreate
| where (ParentProcessName endswith "/git" or ActingProcessName endswith "/git") and (ActingProcessCommandLine contains " -p " and ActingProcessCommandLine contains "help") and (TargetProcessCommandLine contains "bash 0<&1" or TargetProcessCommandLine contains "dash 0<&1" or TargetProcessCommandLine contains "sh 0<&1")Scenario: Scheduled Git Pull for Code Deployment
Description: A scheduled job runs git pull to fetch updates from a remote repository as part of a CI/CD pipeline.
Filter/Exclusion: Check for git pull executed by a known CI/CD user (e.g., jenkins, gitlab-ci) or within a known deployment directory (e.g., /opt/applications/myapp).
Scenario: Admin Task to Update Git Repository Locally
Description: An administrator manually runs git pull to update a local repository that is used for internal documentation or configuration management.
Filter/Exclusion: Filter by user (e.g., admin, root) and check for execution in a known admin directory (e.g., /home/admin/configs).
Scenario: Git Hook Execution for Automation
Description: A Git hook (e.g., post-receive, pre-commit) is triggered, which may execute shell commands as part of a local automation workflow.
Filter/Exclusion: Check for execution within a known Git hooks directory (e.g., /home/user/.git/hooks/) and verify if the command is part of a known hook script.
Scenario: Git Clone for Development Environment Setup
Description: A developer clones a Git repository to set up a local development environment, which may involve running shell scripts during the clone process.
Filter/Exclusion: Filter by user (e.g., dev_user) and check for execution in a known development directory (e.g., /home/dev_user/projects/).
Scenario: Git Submodule Update via Script
Description: A script updates Git submodules, which may trigger shell commands during the update process.
Filter/Exclusion: Check for execution in a known submodule directory (e.g., `/