Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-7 | Least Functionality | Protects | T1059.004 | Unix Shell | |
| SI-10 | Information Input Validation | Protects | T1059.004 | Unix Shell | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1059.004 | Unix Shell |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | technique_scores | T1059.004 | Unix Shell |
Comments
This control may alert on suspicious commandline activity. Alerts may be generated on possible detection of shellcode usage on the commandline, based on arguments, location, user, etc.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1059.004 | Unix Shell |
Comments
The Azure Sentinel Hunting "Rare process running on a Linux host" query can identify uncommon shell usage that may be malicious.
References
|
| azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1059.004 | Unix Shell |
Comments
This control monitors host data for potential reverse shells used for command and control. Temporal factor is unknown.
References
|