detection.wiki

Command and Scripting Interpreter: Unix Shell T1059.004

Tactic: Execution

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Events covered

13 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
Security-AuditingEvent ID 4688A new process has been created.
ESFexecProcess Execution (Notify)
ESFwriteFile Write (NOTIFY)
Linux-AuditdEvent ID 1302PATH
Linux-AuditdEvent ID 1309EXECVE
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Sysmon-for-LinuxEvent ID 1Process Create
Sysmon-for-LinuxEvent ID 3Network connection
Sysmon-for-LinuxEvent ID 11File created

Authoring guide

Patterns shared across the 162 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (74 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
event.type119eq 114, in 5, ne 1start, creation, process_started, change, deletion
host.os.type112eq 109, in 4
EventType111eq 61, in 53, ne 1exec, ProcessRollup2, exec_event, connection_attempted, start
process_name107in 64, eq 44, wildcard 17, starts_with 16, match 3, is_not_null 1, ne 1bash, csh, dash, busybox, curl
process.args68eq 39, in 20, wildcard 19, contains 16, starts_with 16, ends_with 3, match 2, ne 2-c, -e, */bin/*sh*, *import*pty*spawn*, *import*subprocess*call*
parent_process_name53eq 36, in 17, starts_with 8, ends_with 4, wildcard 4, contains 1, is_not_null 1, match 1, ne 1bash, csh, dash, apache2, node
CommandLine36contains 22, wildcard 8, is_not_null 5, match 3, eq 2, in 2, ends_with 1, length_compare 1(?i)((tracert)|(query)|(net\s+((localgroup)|(group)|(conf..., (?i)((netstat)|(netsh)|(schtasks)|(tasklist)|(driverquery..., (?i)((whoami)|(dir)|(hostname)|(hostname)|(systeminfo)|(i..., *-*d*, /dev/shm/
Image34is_not_null 9, starts_with 9, ends_with 7, wildcard 7, eq 4, ne 2/dev/shm/, /boot/, ./, /boot/*, /dev/shm/*
container.id18starts_with 11, wildcard 7?, *
event.category18eq 18process, file
ParentImage17is_not_null 7, wildcard 3, ends_with 2, ne 2, starts_with 2, eq 1/bun, /node, /u0*/*, ./, /bin/busybox
process.interactive17eq 17true
TargetFilename16starts_with 6, wildcard 6, contains 2, eq 1, in 1, regex_match 1/dev/shm/*, .git/hooks/, /bin/, /dev/shm/, /entrypoint
ParentCommandLine13contains 4, eq 4, wildcard 2, in 1, ne 1, starts_with 1app.py, asgi.py, django, server.js, *--experimental-https*
process.parent.args12contains 8, eq 5, starts_with 3, wildcard 3, ends_with 2exec, -Dcatalina.base=, -Djboss.home.dir=, -Djetty.home=, -c

Top indicator values (2124 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
104606
EventTypeeq
exec
49171
EventTypeeq
connection_attempted
1225
process_namein
bash
4988
process_namein
sh
4883
process_namein
zsh
4782
process_namein
dash
4378
process_namein
ksh
4173
process_namein
csh
4071
process_namein
fish
4072
process_namein
tcsh
4069
process_namein
busybox
1336
process_namein
curl
1127
EventTypein
exec
48171
EventTypein
start
35134
EventTypein
ProcessRollup2
32117
EventTypein
exec_event
31139
EventTypein
executed
1488
EventTypein
process_started
1174
process.argseq
-c
2030
event.categoryeq
process
17128
process.interactiveeq
true
1742
process_namewildcard
python*
1524
process_namewildcard
php*
1216
process_namewildcard
bash
1114
container.idstarts_with
?
1122
parent_process_namein
bash
1130
parent_process_namein
sh
1130
process_namestarts_with
python
1131
process_namestarts_with
ruby
1121

Exclusions (1131 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
dest_ipcidr_match
127.0.0.0/8
14
dest_ipcidr_match
169.254.0.0/16
14
dest_ipcidr_match
224.0.0.0/4
14
dest_ipcidr_match
::1
14
dest_ipcidr_match
10.0.0.0/8
8
dest_ipcidr_match
100.64.0.0/10
8
dest_ipcidr_match
172.16.0.0/12
8
dest_ipcidr_match
192.0.0.0/24
8
dest_ipcidr_match
192.0.0.0/29
8
dest_ipcidr_match
192.0.0.10/32
8
dest_ipcidr_match
192.0.0.170/32
8
dest_ipcidr_match
192.0.0.171/32
8
dest_ipcidr_match
192.0.0.8/32
8
dest_ipcidr_match
192.0.0.9/32
8
dest_ipcidr_match
192.0.2.0/24
8

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 18 rules

Elastic 135 rules

Splunk 9 rules