title: Unix Shell (T1059.004)
id: df00tech-t1059-004
status: experimental
description: "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations exist (sh, ash, bash, zsh, etc.). Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. Adversaries may abuse Unix shells to execute various commands or payloads, access interactive shells through C2 channels, leverage shell scripts for persistence, or use stripped-down shells via Busybox on embedded devices and ESXi servers."
references:
  - https://attack.mitre.org/techniques/T1059/004/
  - https://df00tech.com/detections/T1059.004
author: df00tech
date: 2026/04/17
tags:
  - attack.t1059.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "DevOps tools and CI/CD pipelines that use curl|bash patterns for software installation (e.g., install.sh scripts)"
  - System administrators running legitimate setup scripts that decode base64-encoded configuration
  - "Configuration management tools (Ansible, Chef, Puppet, SaltStack) executing shell commands remotely"
level: high