Detect Unix Shell in Sumo Logic CSE
Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations exist (sh, ash, bash, zsh, etc.). Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. Adversaries may abuse Unix shells to execute various commands or payloads, access interactive shells through C2 channels, leverage shell scripts for persistence, or use stripped-down shells via Busybox on embedded devices and ESXi servers.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.004 Unix Shell
- Canonical reference
- https://attack.mitre.org/techniques/T1059/004/
Sumo Detection Query
_sourceCategory=linux/* OR _sourceCategory=syslog/* OR _sourceCategory=auditd/*
| where _raw matches /bash|\/(bin|usr\/bin)\/(sh|zsh|dash|ash|ksh|csh|tcsh)|busybox/
| parse regex field=_raw "(?<process_cmd>(?:bash|sh|zsh|dash|ash|ksh|csh|tcsh|busybox)[^\n]*)"
| eval reverse_shell = if(process_cmd matches /\/dev\/tcp\/|nc\s+-e\s+\/bin\/|ncat\s+-e|socat\s+exec:/, 1, 0)
| eval curl_pipe = if(process_cmd matches /curl.+\|\s*(ba)?sh|wget.+\|\s*(ba)?sh/, 1, 0)
| eval base64_decode = if(process_cmd matches /base64\s+(--decode|-d)/, 1, 0)
| eval priv_esc = if(process_cmd matches /chmod\s+(\+s|4755|u\+s)|useradd|usermod\s+-aG|iptables\s+-[FP]/, 1, 0)
| eval mkfifo_mknod = if(process_cmd matches /mkfifo\s+\/tmp\/|mknod\s+\/tmp\//, 1, 0)
| eval python_shell = if(process_cmd matches /python3?\s+-c\s+.import socket|perl\s+-e\s+.use Socket/, 1, 0)
| eval suspicion_score = (reverse_shell * 3) + (curl_pipe * 2) + base64_decode + (priv_esc * 2) + mkfifo_mknod + python_shell
| where suspicion_score > 0
| fields _messageTime, _sourceHost, _sourceCategory, process_cmd, reverse_shell, curl_pipe, base64_decode, priv_esc, mkfifo_mknod, python_shell, suspicion_score
| sort by suspicion_score desc, _messageTime descDetects suspicious Unix shell activity in Linux syslog and auditd sources using regex pattern matching and weighted suspicion scoring. Identifies reverse shell indicators, piped remote code execution, base64 payload decoding, privilege escalation (SUID), named pipe creation for shell redirection, and Python/Perl socket-based reverse shells.
Data Sources
Required Tables
False Positives & Tuning
- Package managers and infrastructure-as-code tools (Ansible, Terraform provisioners) that invoke shell interpreters with complex arguments during legitimate provisioning
- Developers using base64 decode in development environments to handle encoded configuration values or test payloads
- Monitoring agents or backup tools that temporarily add users or modify firewall rules during scheduled maintenance
Other platforms for T1059.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Bash Reverse Shell via /dev/tcp
Expected signal: Auditd: EXECVE record for bash with /dev/tcp in arguments. Syslog: bash process creation. Network connection attempt to 127.0.0.1:4444 (will fail without listener). MDE DeviceProcessEvents on managed Linux endpoints.
- Test 2Curl Pipe to Bash
Expected signal: Auditd: EXECVE records for curl and bash. Process tree shows curl piped to bash. Network connection attempt to 127.0.0.1:8080 (will fail without listener). The curl failure means no content reaches bash.
- Test 3Base64 Encoded Command Execution
Expected signal: Auditd: EXECVE records for echo, base64, and bash. The decoded content 'whoami' will be executed. Syslog captures the process chain.
Unlock Pro Content
Get the full detection package for T1059.004 including response playbook, investigation guide, and atomic red team tests.