T1059.004 Unix Shell Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousPatterns = dynamic([
  "/dev/tcp/", "/dev/udp/",
  "bash -i >& /dev/tcp",
  "nc -e /bin/", "ncat -e", "socat exec:",
  "curl | bash", "curl | sh", "wget | bash", "wget | sh",
  "curl -s | bash", "wget -q | bash",
  "base64 -d", "base64 --decode",
  "python -c 'import socket", "python3 -c 'import socket",
  "perl -e 'use Socket",
  "mkfifo /tmp/", "mknod /tmp/",
  "chmod +s", "chmod 4755", "chmod u+s",
  "crontab -", "/etc/cron",
  "useradd", "usermod -aG",
  "iptables -F", "iptables -P ACCEPT"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("bash", "sh", "zsh", "dash", "ash", "ksh", "csh", "tcsh", "busybox")
| where ProcessCommandLine has_any (SuspiciousPatterns)
| extend ReverseShell = ProcessCommandLine has_any ("/dev/tcp/", "nc -e", "ncat -e", "socat exec:")
| extend CurlPipe = ProcessCommandLine has_any ("curl | bash", "curl | sh", "wget | bash", "wget | sh", "curl -s | bash")
| extend Base64Decode = ProcessCommandLine has_any ("base64 -d", "base64 --decode")
| extend PrivEsc = ProcessCommandLine has_any ("chmod +s", "chmod 4755", "useradd", "usermod -aG")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ReverseShell, CurlPipe, Base64Decode, PrivEsc
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

DevOps tools and CI/CD pipelines that use curl|bash patterns for software installation (e.g., install.sh scripts)
System administrators running legitimate setup scripts that decode base64-encoded configuration
Configuration management tools (Ansible, Chef, Puppet, SaltStack) executing shell commands remotely

Splunk

spl

index=linux OR index=syslog sourcetype="syslog" OR sourcetype="linux:auditd"
  ("bash" OR "sh" OR "zsh" OR "dash" OR "/bin/bash" OR "/bin/sh")
| eval ReverseShell=if(match(_raw, "(/dev/tcp/|nc\s+-e\s+/bin/|ncat\s+-e|socat\s+exec:)"), 1, 0)
| eval CurlPipe=if(match(_raw, "(curl.*\|\s*(ba)?sh|wget.*\|\s*(ba)?sh)"), 1, 0)
| eval Base64Decode=if(match(_raw, "(base64\s+(-d|--decode))"), 1, 0)
| eval PrivEsc=if(match(_raw, "(chmod\s+\+s|chmod\s+4755|useradd|usermod\s+-aG)"), 1, 0)
| eval SuspicionScore=ReverseShell*3 + CurlPipe*2 + Base64Decode + PrivEsc*2
| where SuspicionScore > 0
| table _time, host, user, _raw, ReverseShell, CurlPipe, Base64Decode, PrivEsc, SuspicionScore
| sort - SuspicionScore, - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Syslog Linux auditd

Required Sourcetypes

syslog linux:auditd

False Positives

DevOps tools and CI/CD pipelines that use curl|bash patterns for software installation
System administrators running legitimate setup scripts that decode base64-encoded configuration
Configuration management tools (Ansible, Chef, Puppet, SaltStack) executing shell commands remotely

Elastic Security (EQL)

eql

sequence by host.name, process.pid with maxspan=5m
  [process where event.type == "start"
    and process.name in ("bash", "sh", "zsh", "dash", "ash", "ksh", "csh", "tcsh", "busybox")
    and (
      process.args : ("/dev/tcp/*", "/dev/udp/*", "bash -i >& /dev/tcp*") or
      process.args : ("nc -e /bin/*", "ncat -e*", "socat exec:*") or
      process.args : ("curl | bash", "curl | sh", "wget | bash", "wget | sh", "curl -s | bash", "wget -q | bash") or
      process.args : ("base64 -d", "base64 --decode") or
      process.args : ("mkfifo /tmp/*", "mknod /tmp/*") or
      process.args : ("chmod +s", "chmod 4755", "chmod u+s") or
      process.args : ("useradd*", "usermod -aG*") or
      process.args : ("iptables -F", "iptables -P ACCEPT") or
      process.command_line : ("python* -c 'import socket*", "perl -e 'use Socket*")
    )
  ]

high severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat Filebeat (auditd module) Syslog

Required Tables

logs-endpoint.events.process-* auditbeat-* filebeat-*

False Positives

System administrators using base64 decoding for legitimate data transformation tasks (e.g., decoding certificates or binary blobs in scripts)
DevOps pipelines using curl | bash patterns to bootstrap configuration management tools like Puppet, Chef, or Ansible installer scripts
Security tools such as vulnerability scanners or CSPM agents that probe shell capabilities or temporarily modify iptables rules during assessment

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS category_name,
  "Process Name",
  "Command",
  CASE
    WHEN "Command" ILIKE '%/dev/tcp/%' OR "Command" ILIKE '%nc -e /bin/%' OR "Command" ILIKE '%ncat -e%' OR "Command" ILIKE '%socat exec:%' THEN 3
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%curl%|%bash%' OR "Command" ILIKE '%curl%|%sh%' OR "Command" ILIKE '%wget%|%bash%' OR "Command" ILIKE '%wget%|%sh%' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%base64 -d%' OR "Command" ILIKE '%base64 --decode%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%chmod +s%' OR "Command" ILIKE '%chmod 4755%' OR "Command" ILIKE '%useradd%' OR "Command" ILIKE '%usermod -aG%' THEN 2
    ELSE 0
  END AS suspicion_score
FROM events
WHERE
  starttime > NOW() - 1 DAYS
  AND LOGSOURCETYPEID IN (13, 14, 105, 191)
  AND ("Process Name" ILIKE '%bash%' OR "Process Name" ILIKE '%/bin/sh%' OR "Process Name" ILIKE '%zsh%' OR "Process Name" ILIKE '%dash%' OR "Process Name" ILIKE '%busybox%')
  AND (
    "Command" ILIKE '%/dev/tcp/%' OR
    "Command" ILIKE '%/dev/udp/%' OR
    "Command" ILIKE '%nc -e /bin/%' OR
    "Command" ILIKE '%ncat -e%' OR
    "Command" ILIKE '%socat exec:%' OR
    "Command" ILIKE '%curl%|%bash%' OR
    "Command" ILIKE '%wget%|%bash%' OR
    "Command" ILIKE '%base64 -d%' OR
    "Command" ILIKE '%base64 --decode%' OR
    "Command" ILIKE '%mkfifo /tmp/%' OR
    "Command" ILIKE '%chmod +s%' OR
    "Command" ILIKE '%chmod 4755%' OR
    "Command" ILIKE '%useradd%' OR
    "Command" ILIKE '%usermod -aG%' OR
    "Command" ILIKE '%iptables -F%' OR
    "Command" ILIKE '%python%import socket%' OR
    "Command" ILIKE '%perl -e%use Socket%'
  )
HAVING suspicion_score > 0
ORDER BY suspicion_score DESC, starttime DESC

high severity medium confidence

Data Sources

Linux OS (syslog) Linux auditd (LOGSOURCETYPEID 105) Unix Authentication (LOGSOURCETYPEID 13) Syslog (LOGSOURCETYPEID 14)

Required Tables

events

False Positives

Legitimate bootstrap scripts in CI/CD environments that use curl | bash to install build agents or language runtimes
Security teams running authorized red team exercises that deliberately trigger these patterns as part of purple team testing
System hardening scripts that flush and rebuild iptables rules during scheduled maintenance windows

Sumo Logic CSE

sql

_sourceCategory=linux/* OR _sourceCategory=syslog/* OR _sourceCategory=auditd/*
| where _raw matches /bash|\/(bin|usr\/bin)\/(sh|zsh|dash|ash|ksh|csh|tcsh)|busybox/
| parse regex field=_raw "(?<process_cmd>(?:bash|sh|zsh|dash|ash|ksh|csh|tcsh|busybox)[^\n]*)"
| eval reverse_shell = if(process_cmd matches /\/dev\/tcp\/|nc\s+-e\s+\/bin\/|ncat\s+-e|socat\s+exec:/, 1, 0)
| eval curl_pipe = if(process_cmd matches /curl.+\|\s*(ba)?sh|wget.+\|\s*(ba)?sh/, 1, 0)
| eval base64_decode = if(process_cmd matches /base64\s+(--decode|-d)/, 1, 0)
| eval priv_esc = if(process_cmd matches /chmod\s+(\+s|4755|u\+s)|useradd|usermod\s+-aG|iptables\s+-[FP]/, 1, 0)
| eval mkfifo_mknod = if(process_cmd matches /mkfifo\s+\/tmp\/|mknod\s+\/tmp\//, 1, 0)
| eval python_shell = if(process_cmd matches /python3?\s+-c\s+.import socket|perl\s+-e\s+.use Socket/, 1, 0)
| eval suspicion_score = (reverse_shell * 3) + (curl_pipe * 2) + base64_decode + (priv_esc * 2) + mkfifo_mknod + python_shell
| where suspicion_score > 0
| fields _messageTime, _sourceHost, _sourceCategory, process_cmd, reverse_shell, curl_pipe, base64_decode, priv_esc, mkfifo_mknod, python_shell, suspicion_score
| sort by suspicion_score desc, _messageTime desc

high severity medium confidence

Data Sources

Linux Syslog Auditd logs Sumo Logic Installed Collector (Linux) Sumo Logic Cloud Syslog

Required Tables

_sourceCategory=linux/* _sourceCategory=syslog/* _sourceCategory=auditd/*

False Positives

Package managers and infrastructure-as-code tools (Ansible, Terraform provisioners) that invoke shell interpreters with complex arguments during legitimate provisioning
Developers using base64 decode in development environments to handle encoded configuration values or test payloads
Monitoring agents or backup tools that temporarily add users or modify firewall rules during scheduled maintenance

Google Chronicle / SecOps

yaral

rule unix_shell_suspicious_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious Unix shell commands indicative of reverse shells, piped remote code execution, base64 payload delivery, SUID manipulation, and privilege escalation (MITRE ATT&CK T1059.004)"
    mitre_attack_technique = "T1059.004"
    mitre_attack_tactic = "Execution"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /\/(bash|sh|zsh|dash|ash|ksh|csh|tcsh|busybox)$/
    (
      $e.target.process.command_line = /\/dev\/(tcp|udp)\/[0-9]+\.[0-9]+/ or
      $e.target.process.command_line = /bash\s+-i\s+>&\s+\/dev\/tcp/ or
      $e.target.process.command_line = /nc(at)?\s+-e\s+\/bin\// or
      $e.target.process.command_line = /socat\s+exec:/ or
      $e.target.process.command_line = /curl.+\|\s*(ba)?sh/ or
      $e.target.process.command_line = /wget.+\|\s*(ba)?sh/ or
      $e.target.process.command_line = /base64\s+(--decode|-d)/ or
      $e.target.process.command_line = /mkfifo\s+\/tmp\// or
      $e.target.process.command_line = /mknod\s+\/tmp\// or
      $e.target.process.command_line = /chmod\s+(\+s|4755|u\+s)/ or
      $e.target.process.command_line = /useradd|usermod\s+-aG/ or
      $e.target.process.command_line = /iptables\s+(-F|-P\s+ACCEPT)/ or
      $e.target.process.command_line = /python3?\s+-c\s+['"]import socket/ or
      $e.target.process.command_line = /perl\s+-e\s+['"]use Socket/
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Linux endpoint telemetry (via Chronicle forwarder) Syslog ingestion into Chronicle EDR integration (CrowdStrike, Carbon Black)

Required Tables

UDM Events (process launch type)

False Positives

Automated deployment pipelines using curl | bash to pull and execute installer scripts for legitimate software such as Docker, Node.js, or Python virtual environments
Security testing tools like Metasploit or custom red team frameworks executing staged payloads during authorized penetration tests on systems in the environment
System administrators using netcat for legitimate network diagnostics or data transfer between trusted hosts on internal networks

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /^(bash|sh|zsh|dash|ash|ksh|csh|tcsh|busybox)$/
| CommandLine = /\/dev\/(tcp|udp)\/\d+\.\d+|bash\s+-i\s+>&\s+\/dev\/tcp|nc(at)?\s+-e\s+\/bin\/|socat\s+exec:|curl.+\|\s*(ba)?sh|wget.+\|\s*(ba)?sh|base64\s+(--decode|-d)|mkfifo\s+\/tmp\/|mknod\s+\/tmp\/|chmod\s+(\+s|4755|u\+s)|useradd|usermod\s+-aG|iptables\s+(-F|-P\s+ACCEPT)|python3?\s+-c\s+['"]import socket|perl\s+-e\s+['"]use Socket/
| eval ReverseShell := CommandLine = /\/dev\/(tcp|udp)\//  OR CommandLine = /bash\s+-i\s+>&\s+\/dev\/tcp/ OR CommandLine = /nc(at)?\s+-e\s+\/bin\// OR CommandLine = /socat\s+exec:/
| eval CurlPipe := CommandLine = /curl.+\|\s*(ba)?sh/ OR CommandLine = /wget.+\|\s*(ba)?sh/
| eval Base64Decode := CommandLine = /base64\s+(--decode|-d)/
| eval PrivEsc := CommandLine = /chmod\s+(\+s|4755|u\+s)/ OR CommandLine = /useradd/ OR CommandLine = /usermod\s+-aG/ OR CommandLine = /iptables\s+(-F|-P\s+ACCEPT)/
| eval NamedPipe := CommandLine = /mkfifo\s+\/tmp\// OR CommandLine = /mknod\s+\/tmp\//
| eval PythonShell := CommandLine = /python3?\s+-c\s+['"]import socket/ OR CommandLine = /perl\s+-e\s+['"]use Socket/
| eval SuspicionScore := (if(ReverseShell, 3, 0)) + (if(CurlPipe, 2, 0)) + (if(Base64Decode, 1, 0)) + (if(PrivEsc, 2, 0)) + (if(NamedPipe, 1, 0)) + (if(PythonShell, 2, 0))
| where SuspicionScore > 0
| groupBy([ComputerName, UserName, FileName, CommandLine, ReverseShell, CurlPipe, Base64Decode, PrivEsc, NamedPipe, PythonShell, SuspicionScore], function=collect([TargetProcessId, timestamp]))
| sort(SuspicionScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Detection (Linux sensor) Falcon ProcessRollup2 events CrowdStrike LogScale (Humio)

Required Tables

ProcessRollup2

False Positives

Linux server provisioning tools (cloud-init, Ansible, Puppet) that run base64-encoded configuration scripts or invoke shell interpreters with complex argument chains during instance initialization
Container orchestration systems where init containers or sidecar processes run shell scripts with patterns that resemble reverse shell syntax (e.g., health check scripts using /dev/tcp for TCP probing)
Developers and data engineers using Python one-liners with socket imports for legitimate network utility scripts or API clients on developer workstations

Unix Shell

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections