Detect Unix Shell in Elastic Security
Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations exist (sh, ash, bash, zsh, etc.). Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. Adversaries may abuse Unix shells to execute various commands or payloads, access interactive shells through C2 channels, leverage shell scripts for persistence, or use stripped-down shells via Busybox on embedded devices and ESXi servers.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.004 Unix Shell
- Canonical reference
- https://attack.mitre.org/techniques/T1059/004/
Elastic Detection Query
sequence by host.name, process.pid with maxspan=5m
[process where event.type == "start"
and process.name in ("bash", "sh", "zsh", "dash", "ash", "ksh", "csh", "tcsh", "busybox")
and (
process.args : ("/dev/tcp/*", "/dev/udp/*", "bash -i >& /dev/tcp*") or
process.args : ("nc -e /bin/*", "ncat -e*", "socat exec:*") or
process.args : ("curl | bash", "curl | sh", "wget | bash", "wget | sh", "curl -s | bash", "wget -q | bash") or
process.args : ("base64 -d", "base64 --decode") or
process.args : ("mkfifo /tmp/*", "mknod /tmp/*") or
process.args : ("chmod +s", "chmod 4755", "chmod u+s") or
process.args : ("useradd*", "usermod -aG*") or
process.args : ("iptables -F", "iptables -P ACCEPT") or
process.command_line : ("python* -c 'import socket*", "perl -e 'use Socket*")
)
]Detects suspicious Unix shell activity associated with reverse shells, piped remote code execution, base64 encoded payloads, SUID bit manipulation, and unauthorized user/firewall modifications. Covers common adversary techniques including /dev/tcp reverse shells, netcat/socat execution, curl/wget pipe-to-shell, and privilege escalation patterns.
Data Sources
Required Tables
False Positives & Tuning
- System administrators using base64 decoding for legitimate data transformation tasks (e.g., decoding certificates or binary blobs in scripts)
- DevOps pipelines using curl | bash patterns to bootstrap configuration management tools like Puppet, Chef, or Ansible installer scripts
- Security tools such as vulnerability scanners or CSPM agents that probe shell capabilities or temporarily modify iptables rules during assessment
Other platforms for T1059.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Bash Reverse Shell via /dev/tcp
Expected signal: Auditd: EXECVE record for bash with /dev/tcp in arguments. Syslog: bash process creation. Network connection attempt to 127.0.0.1:4444 (will fail without listener). MDE DeviceProcessEvents on managed Linux endpoints.
- Test 2Curl Pipe to Bash
Expected signal: Auditd: EXECVE records for curl and bash. Process tree shows curl piped to bash. Network connection attempt to 127.0.0.1:8080 (will fail without listener). The curl failure means no content reaches bash.
- Test 3Base64 Encoded Command Execution
Expected signal: Auditd: EXECVE records for echo, base64, and bash. The decoded content 'whoami' will be executed. Syslog captures the process chain.
Unlock Pro Content
Get the full detection package for T1059.004 including response playbook, investigation guide, and atomic red team tests.