Shell

Shell Abuse Detection in nix Systems

The ability for attackers to exploit legitimate tools to spawn shells or escalate privileges presents a significant risk on Unix-like systems. Below is a comprehensive guide on common exploitation methods and detection strategies.

---

Key Shell Exploitation Methods

1. Using Shell Binaries Directly

Attackers often use default system shells or alternative ones to gain interactive access.

Common Shells:

• /bin/sh, /bin/bash

• /usr/bin/zsh, /usr/bin/ksh, /usr/bin/fish

Command Example:

cat /etc/shells

---

Command-Based Shell Access via Common Binaries

awk

• Command:

  awk 'BEGIN {system("/bin/sh")}'

• Detection:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "awk"

  • Command History:

    history | grep "awk" | grep -i "begin"

busybox

• Command:

  busybox /bin/sh

• Detection:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "busybox" | grep "bin/sh"

  • Command History:

    history | grep "busybox" | grep "bin/sh"

cpan

• Command:

  cpan  
  cpan[1]> ! exec '/bin/bash'

• Detection:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "cpan"

  • Command History:

    history | grep "cpan"

env

• Command:

  env /bin/sh

• Detection:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "env" | grep "bin/sh"

  • Command History:

    history | grep "env" | grep "bin/sh"

find

• Command:

  find . -exec /bin/sh \; -quit

• Detection:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "find" | grep "exec" | grep "/bin/sh"

  • Command History:

    history | grep "find" | grep "exec" | grep "/bin/sh"

nmap

• Command:

  TF=$(mktemp)
  echo 'os.execute("/bin/sh")' > $TF
  nmap --script=$TF

• Detection:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "nmap" | grep "script"

  • Command History:

    history | grep "nmap" | grep "script"

perl

• Command:

  perl -e 'exec "/bin/sh";'

• Detection:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "perl" | grep "-e"

  • Command History:

    history | grep "perl" | grep "-e"

python

• Command:

  python -c 'import os; os.system("/bin/sh")'

• Detection:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "python"

  • Command History:

    history | grep "python" | grep "os.system"

vim/vi

• Command:

  vim -c ':!/bin/sh'

• Detection:

  • Audit Logs:

    cat /var/log/audit/audit.log | egrep "vi|vim" | grep "-c"

  • Command History:

    history | egrep "vi|vim" | grep "-c"

---

Detection Methods

1. Audit Logs

Use auditd to monitor and track suspicious commands and processes.

Example:

cat /var/log/audit/audit.log | grep <command>

2. Command History

Search shell history for specific commands.

Example:

history | grep <command>

3. EDR/XDR Logs

Endpoint Detection and Response solutions provide detailed visibility into:

• Process executions.

• Network connections initiated by unusual binaries.

4. Behavioral Monitoring

Set up alerts for unusual shell spawns or executions of binaries often misused for spawning shells.

---

Key Points

Understanding and monitoring for abuse of legitimate binaries is crucial for detecting and mitigating shell exploitation. Regularly auditing logs and employing advanced monitoring solutions like EDR or XDR can help identify suspicious activities and stop attacks before they escalate. Continuous vigilance and analysis of system behaviors remain critical components of a robust defense strategy.