Skip to content

DET0384 Behavioral Detection of Unix Shell Execution

Item Value
ID DET0384
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1059.004 (Unix Shell)

Analytics

Linux

AN1081

Detects bash, sh, zsh, or BusyBox shell execution initiated via remote sessions, unauthorized users, or embedded within secondary script interpreters. Focus is on chained behavior: shell > suspicious commands > network discovery or persistence indicators.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Network Traffic Flow (DC0078) linux:osquery socket_events
Logon Session Creation (DC0067) linux:syslog auth.log / secure.log
Mutable Elements
Field Description
ExecutableName Detect variants like /bin/sh, /usr/local/bin/zsh, /bin/busybox sh.
UserContext Shell used by service accounts, root, or rare accounts.
ParentProcess Shell invoked by unexpected parents (e.g., curl, mail, apache2).
TimeWindow Execution outside maintenance windows or normal activity periods.
CommandLinePattern Flags use of loops, download commands, chaining (

macOS

AN1082

Identifies use of sh/bash/zsh in suspicious context, such as user scripts launched from non-standard apps (e.g., Preview.app), embedded in LaunchDaemons, or executed outside Terminal.app. Looks for misuse in Automator, LaunchAgents, or NSAppleScript-executed shell.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog log stream –predicate ‘eventMessage contains “exec”’
Command Execution (DC0064) macos:osquery launchd + process_events
Script Execution (DC0029) macos:syslog system.log, asl.log
Mutable Elements
Field Description
ScriptLocation Execution from /Users/Shared, ~/Library/LaunchAgents, /tmp.
ParentProcess Shells spawned from Preview, Safari, or AppleScript.
UserRole Detection thresholds may differ for admin vs standard users.

ESXi

AN1083

Detects BusyBox or Ash shell execution from unauthorized logins or remote connections. Focus is on rare shell invocations from DCUI, SSH sessions, or remote management paths. Also watches for payload droppers or persistence artifacts using shell.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:vmkernel DCUI shell start, BusyBox activity
Logon Session Creation (DC0067) esxi:auth Shell login or escalation
Mutable Elements
Field Description
UserContext Non-root use of shell (or root outside maintenance window).
CommandPattern Use of ‘nc’, ‘wget’, or dropper-like behavior in shell.
ShellPath Unexpected invocation of BusyBox/ash from mounted ISO or datastore.

Network Devices

AN1084

Detects Unix shell usage on network appliances (e.g., routers, firewalls, embedded Linux) through rare console commands, CLI interfaces, or script injection via exposed APIs or SSH.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:syslog CLI Command Audit
Network Connection Creation (DC0082) NSM:Flow remote access
Mutable Elements
Field Description
Interface Flags command line access via remote console (telnet/SSH/API) from non-whitelisted source.
CommandString Monitors rare/privileged shell commands (e.g., enable, tftp, firmware mod).