Unix Shell
Unix Shell [T1059.004]
Information
Introduction
Unix Shell (T1059.004) is a sub-technique under the MITRE ATT&CK framework's Execution tactic, specifically categorized under Command and Scripting Interpreter (T1059). Attackers leverage Unix shells, such as Bash, Zsh, or Sh, to execute malicious code, run scripts, automate tasks, and interact directly with compromised systems. This sub-technique encompasses the use of shell commands and scripts executed directly through the Unix/Linux command-line interface or via scripts, providing attackers with flexible and powerful tools to achieve their objectives.
Deep Dive Into Technique
Attackers commonly exploit Unix shells due to their ubiquity, flexibility, and powerful scripting capabilities. Unix shells provide access to system resources, file systems, network communications, and user privileges, making them ideal for attackers to carry out malicious activities.
Technical details and execution methods include:
Interactive Shell Sessions:
Directly running commands or scripts through interactive shell sessions (e.g., Bash, Sh, Zsh).
Attackers may establish interactive shells remotely through SSH, Telnet, or reverse shells initiated via netcat, Python, Perl, or other scripting languages.
Script Execution:
Using shell scripts (.sh files) to automate malicious actions, such as privilege escalation, reconnaissance, lateral movement, and persistence.
Scripts can be executed manually, via cron jobs, or through exploitation of vulnerable services and applications.
Shell Built-ins and Utilities:
Utilizing standard Unix utilities such as
curl,wget,scp,ssh,nc,sed,awk, and others to facilitate data exfiltration, payload downloads, persistence, or lateral movement.Employing built-in shell commands (
echo,printf,exec,eval) to execute encoded or obfuscated payloads.
Chained Commands and Obfuscation:
Attackers often chain commands using pipes (
|), semicolons (;), logical operators (&&,||), and redirections (>,<) to execute multiple actions in a single line or script.Obfuscation techniques, such as base64 encoding, hexadecimal encoding, or character substitution, are frequently used to evade detection.
Privilege Elevation Attempts:
Attackers may exploit misconfigured SUID binaries, sudo privileges, or kernel vulnerabilities through shell commands and scripts to escalate privileges from standard user accounts to root.
When this Technique is Usually Used
Attackers leverage Unix shell sub-techniques across multiple stages of the attack lifecycle, including:
Initial Access and Exploitation:
Exploiting vulnerabilities in web applications, SSH services, or remote code execution flaws to establish initial shell access.
Execution and Persistence:
Executing malicious scripts or commands to establish persistent backdoors, cron jobs, or scheduled tasks.
Using shell scripts to maintain persistence by automating reconnection attempts or creating hidden processes.
Privilege Escalation:
Exploiting misconfigured permissions, vulnerable binaries, or kernel exploits via shell commands to elevate privileges.
Defense Evasion:
Using shell commands to disable logging, modify audit trails, clear log files, or obfuscate malicious activities.
Credential Access and Lateral Movement:
Extracting credentials from configuration files, environment variables, or memory.
Using SSH, SCP, or other shell-based utilities to move laterally within the network.
Collection and Exfiltration:
Employing shell commands and utilities (
tar,gzip,scp,curl,wget) to compress and send sensitive data to attacker-controlled infrastructure.
How this Technique is Usually Detected
Detection of Unix shell sub-techniques involves monitoring and analyzing various system and network indicators, including:
Process Monitoring and Auditing:
Monitoring process execution logs (
auditd,syslog,auth.log,bash_history) to detect suspicious or unusual command executions.Implementing Linux audit frameworks (Auditd rules) to track execution of sensitive commands and binaries.
Command-Line Logging and Analysis:
Capturing and analyzing command-line arguments and parameters for suspicious patterns, obfuscated commands, encoded payloads, or unusual command chaining.
Using Extended Bash History logging (with timestamps and user IDs) to correlate suspicious activities.
File System Monitoring:
Monitoring for creation or modification of suspicious shell scripts (
.shfiles) in unusual directories (/tmp,/dev/shm,/var/tmp, user home directories).Detecting unexpected changes in system binaries or scripts.
Network Traffic Analysis:
Identifying unusual outbound network connections initiated by shell utilities (
curl,wget,nc,scp,rsync) to external IP addresses or domains.Analyzing DNS logs for suspicious domain lookups triggered by shell commands.
User Behavior Analytics:
Leveraging behavioral analytics tools to detect deviations from normal user command-line patterns and workflows.
Specific Indicators of Compromise (IoCs):
Suspicious shell commands (e.g., reverse shells):
Encoded payloads executed via shell commands:
Unusual cron job entries or scheduled tasks executing shell scripts:
Presence of suspicious shell scripts in temporary directories:
Why it is Important to Detect This Technique
Detecting Unix shell sub-techniques early is critical due to their significant impacts on system security, operational stability, and data integrity. Importance includes:
Preventing Privilege Escalation:
Early detection of shell-based privilege escalation attempts prevents attackers from gaining administrative or root-level access, limiting potential damage.
Reducing Dwell Time:
Quickly identifying shell-based malicious activities significantly reduces attacker dwell time, limiting the opportunity to move laterally or exfiltrate sensitive data.
Protecting Sensitive Data:
Detection prevents attackers from successfully exfiltrating sensitive information, intellectual property, or credentials from compromised systems.
Maintaining System Integrity and Availability:
Early identification and remediation of shell-based attacks minimize the risk of attackers disrupting critical system operations, modifying system binaries, or causing denial-of-service conditions.
Improving Incident Response Efficiency:
Clear detection of shell-based malicious activities provides incident responders with actionable intelligence, allowing rapid containment, remediation, and recovery.
Examples
Real-world examples of Unix shell sub-techniques include:
Equifax Data Breach (2017):
Attackers exploited Apache Struts vulnerability (CVE-2017-5638), gaining initial shell access to Equifax servers.
Utilized Unix shell commands to establish persistence, escalate privileges, and exfiltrate sensitive personal data of millions of users.
Shellshock Vulnerability (CVE-2014-6271):
Attackers exploited the Bash Shellshock vulnerability to execute arbitrary shell commands remotely on vulnerable Unix/Linux systems.
Shell commands were used to deploy reverse shells, install malware, and establish persistent access.
Operation Windigo (2014):
Attackers leveraged Unix shell scripts and commands extensively to compromise thousands of Linux servers.
Shell scripts automated malware deployment, credential harvesting, and spam distribution activities.
Crypto-Mining Campaigns:
Attackers frequently leverage Unix shell scripts to download and execute cryptocurrency mining malware on compromised Linux servers.
Shell commands automate malware deployment, persistence, and resource usage monitoring.
Common tools used by attackers in Unix shell attacks:
Reverse shells:
netcat,bash,python,perlData exfiltration utilities:
scp,curl,wget,rsyncPrivilege escalation scripts and tools:
LinEnum.sh,LinPEAS.sh,GTFOBinsAutomated exploitation frameworks:
Metasploit,Empire,Cobalt Strike
Impacts observed in these examples:
Massive data breaches and sensitive information exposure.
System compromise, unauthorized access, and persistent footholds.
Financial loss due to crypto-mining resource abuse.
Significant reputational damage and regulatory penalties.
Last updated
Was this helpful?