Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1059.004 | Unix Shell | |
| AC-17 | Remote Access | mitigates | T1059.004 | Unix Shell | |
| SI-16 | Memory Protection | mitigates | T1059.004 | Unix Shell | |
| SI-10 | Information Input Validation | mitigates | T1059.004 | Unix Shell | |
| SI-03 | Malicious Code Protection | mitigates | T1059.004 | Unix Shell | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1059.004 | Unix Shell | |
| CM-02 | Baseline Configuration | mitigates | T1059.004 | Unix Shell | |
| SI-04 | System Monitoring | mitigates | T1059.004 | Unix Shell | |
| AC-02 | Account Management | mitigates | T1059.004 | Unix Shell | |
| AC-03 | Access Enforcement | mitigates | T1059.004 | Unix Shell | |
| AC-06 | Least Privilege | mitigates | T1059.004 | Unix Shell |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1059.004 | Unix Shell |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| security_command_center | Security Command Center | technique_scores | T1059.004 | Unix Shell |
Comments
SCC uses machine learning [NLP techniques] to evaluate content of an executed bash script. This security solution protects against potentially malicious scripts that are used to execute commands in compromised systems. Because of the high threat detection coverage provided by the ML model and near-real time temporal factor this control was graded as significant.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_web_application_firewall | AWS Web Application Firewall | technique_scores | T1059.004 | Unix Shell |
Comments
The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications.
AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet
This is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time.
References
|