T1059.004: Unix Shell
Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
it_bastion: PT-CR-2184: SKDPUNT_Blacklisted_Command: A blacklisted command is executed
unix_mitre_attck_execution: PT-CR-1018: Unix_Hacktool_Usage: The rule detects the use of security analysis tools on Unix hosts
unix_mitre_attck_execution: PT-CR-1019: Unix_Recon_Tools_and_Commands: Reconnaissance commands were executed on a Unix host
unix_mitre_attck_execution: PT-CR-1021: Unix_Suspicious_Command: Suspicious commands were executed on a Unix host
unix_mitre_attck_execution: PT-CR-1031: Unix_Inline_Reverse_or_Bind_Shell: Bind or reverse shell creation is detected based on specific command line patterns
unix_mitre_attck_execution: PT-CR-1071: Unix_Connect_from_Home_Dir: A network API call on behalf of a process running from user's home directory
supply_chain: PT-CR-1963: SupplyChain_TeamCity_Execution_via_Request: The ability to remotely execute commands was enabled, and the code was executed. After receiving a TeamCity API access token, attackers can enable the rest.debug.processes.enable option which allows them to run commands on the server via POST requests
postgresql_database: PT-CR-1899: PostgreSQL_Code_Execution: Running a process under a database account may indicate an attempt of an attacker who gained the ability to execute queries to the database to escalate privileges
postgresql_database: PT-CR-1902: PostgreSQL_File_System_Actions: The interaction of the PostgreSQL database with the file system may indicate reconnaissance or an attempt of an attacker to escalate privileges if this is not the standard integration of the database with external systems
postgresql_database: PT-CR-1903: Subrule_PostgreSQL_Create_Process: Origination of subprocesses of a PostgreSQL database process
mitre_attck_defense_evasion: PT-CR-1776: Browser_LOLBin: A process was started using trusted software
it_bastion: PT-CR-2171: SKDPUNT_Suspicious_Command: A user executed a potentially dangerous command
it_bastion: PT-CR-2177: SKDPUNT_Potentially_Dangerous_Command: Potentially dangerous commands are used
solaris_suspicious_network_activity: PT-CR-545: Solaris_detect_bind_shell: A bind shell connection is detected
solaris_suspicious_network_activity: PT-CR-551: Solaris_detect_run_bash_for_reverse_shell: Reverse shell usage via bash
solaris_suspicious_network_activity: PT-CR-552: Solaris_detect_run_reverse_shell_by_something: Reverse shell usage via third-party tools
unix_mitre_attck_execution: PT-CR-286: Unix_Bind_Shell: An external connection to a bind shell
unix_mitre_attck_execution: PT-CR-294: Unix_Reverse_Shell_via_Bash: A reverse-shell connection using a Bash script
unix_mitre_attck_execution: PT-CR-296: Unix_Reverse_Shell: A reverse-shell connection using third-party tools
unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance.
unix_mitre_attck_execution: PT-CR-482: Unix_Connect_from_Suspicious_Dir: A network API call on behalf of a process run from a suspicious directory
sap_suspicious_user_activity: PT-CR-254: SAPASABAP_GW_Sapxpg_call: SAPXPG run
pt_application_firewall: PT-CR-1906: PTAF_Command_Injection_Detected: PT AF detected OS command injection
pt_application_firewall: PT-CR-1915: PTAF_Hacktool_Detected: PT AF detected signs of a hacking tool being used
Detection
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes that may abuse Unix shell commands and scripts for execution. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may abuse Unix shell commands and scripts for execution. Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Note: this analytic does not include an exhaustive list of potentially suspicious commands that could be executed through a shell interpreter. Instead, it is meant to serve as an example of types of commands that can warrant further investigation. Analytic 1 - Unusual command execution
|
---|
Mitigation
ID | M1038 | Name | Execution Prevention | Description | Use application control where appropriate. |
---|