T1059.004: Unix Shell

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

supply_chain: PT-CR-1963: SupplyChain_TeamCity_Execution_Via_Request: The ability to remotely execute commands was enabled, and the code was executed. After receiving a TeamCity API access token, attackers can enable the rest.debug.processes.enable option which allows them to run commands on the server via POST requests solaris_suspicious_network_activity: PT-CR-552: Solaris_Detect_Run_Reverse_Shell_By_Something: Reverse shell usage via third-party tools solaris_suspicious_network_activity: PT-CR-545: Solaris_Detect_Bind_Shell: A bind shell connection is detected solaris_suspicious_network_activity: PT-CR-551: Solaris_Detect_Run_Bash_For_Reverse_Shell: Reverse shell usage via bash unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance. pt_application_firewall: PT-CR-1915: PTAF_Hacktool_Detected: PT AF detected signs of a hacking tool being used pt_application_firewall: PT-CR-1906: PTAF_Command_Injection_Detected: PT AF detected OS command injection it_bastion: PT-CR-2171: SKDPUNT_Suspicious_Command: A user executed a potentially dangerous command it_bastion: PT-CR-2184: SKDPUNT_Blacklisted_Command: A blacklisted command is executed it_bastion: PT-CR-2177: SKDPUNT_Potentially_Dangerous_Command: Potentially dangerous commands are used mysql_database: PT-CR-617: MySQL_Code_Execution: Running a process under a database account may indicate an attempt of an attacker who gained the ability to execute queries to the database to escalate privileges unix_mitre_attck_execution: PT-CR-294: Unix_Reverse_Shell_Via_Bash: A reverse-shell connection using a Bash script unix_mitre_attck_execution: PT-CR-1019: Unix_Recon_Tools_And_Commands: Reconnaissance commands were executed on a Unix host unix_mitre_attck_execution: PT-CR-1021: Unix_Suspicious_Command: Suspicious commands were executed on a Unix host unix_mitre_attck_execution: PT-CR-1071: Unix_Connect_From_Home_Dir: A network API call on behalf of a process running from user's home directory unix_mitre_attck_execution: PT-CR-286: Unix_Bind_Shell: An external connection to a bind shell unix_mitre_attck_execution: PT-CR-296: Unix_Reverse_Shell: A reverse-shell connection using third-party tools unix_mitre_attck_execution: PT-CR-1031: Unix_Inline_Reverse_Or_Bind_Shell: Bind or reverse shell creation is detected based on specific command line patterns unix_mitre_attck_execution: PT-CR-482: Unix_Connect_From_Suspicious_Dir: A network API call on behalf of a process run from a suspicious directory unix_mitre_attck_execution: PT-CR-1018: Unix_Hacktool_Usage: The rule detects the use of security analysis tools on Unix hosts mitre_attck_defense_evasion: PT-CR-1776: Browser_LOLBin: A process was started using trusted software sap_suspicious_user_activity: PT-CR-254: SAPASABAP_GW_Sapxpg_Call: SAPXPG run postgresql_database: PT-CR-1899: PostgreSQL_Code_Execution: Running a process under a database account may indicate an attempt of an attacker who gained the ability to execute queries to the database to escalate privileges postgresql_database: PT-CR-1902: PostgreSQL_File_System_Actions: The interaction of the PostgreSQL database with the file system may indicate reconnaissance or an attempt of an attacker to escalate privileges if this is not the standard integration of the database with external systems postgresql_database: PT-CR-1903: Subrule_PostgreSQL_Create_Process: Origination of subprocesses of a PostgreSQL database process

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that may abuse Unix shell commands and scripts for execution.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may abuse Unix shell commands and scripts for execution. Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Note: this analytic does not include an exhaustive list of potentially suspicious commands that could be executed through a shell interpreter. Instead, it is meant to serve as an example of types of commands that can warrant further investigation.

Analytic 1 - Unusual command execution

source="Linux:" CommandLine=“sh -c” AND (CommandLine=“wget” OR CommandLine=“curl” OR CommandLine=“nc” OR CommandLine=“perl”)

Mitigation

IDM1038NameExecution PreventionDescription

Use application control where appropriate.