Adversaries may use an interactive bash shell to establish persistent access or execute commands in a disguised manner. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control channels or unauthorized interactive sessions.
Detection Rule
title: Bash Interactive Shell
id: 6104e693-a7d6-4891-86cb-49a258523559
status: test
description: Detects execution of the bash shell with the interactive flag "-i".
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
- https://linux.die.net/man/1/bash
author: '@d4ns4n_'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/bash'
CommandLine|contains: ' -i '
condition: selection
falsepositives:
- Unknown
level: low
imProcessCreate
| where TargetProcessName endswith "/bash" and TargetProcessCommandLine contains " -i "Scenario: Admin performing interactive shell session for troubleshooting
Filter/Exclusion: Exclude processes initiated by root or admin users with tty or pts in the command line.
Example Filter: process.user == "root" && process.command_line contains "pts" || process.command_line contains "tty"
Scenario: Scheduled job using bash with interactive flag for compatibility
Filter/Exclusion: Exclude processes with bash in the command line that are part of a scheduled task (e.g., cron, systemd timer).
Example Filter: process.name == "bash" && process.parent_process.name == "cron" || process.parent_process.name == "systemd"
Scenario: Using bash -i for remote shell access (e.g., via SSH)
Filter/Exclusion: Exclude bash processes initiated by SSH sessions (e.g., sshd or openssh).
Example Filter: process.parent_process.name == "sshd" || process.parent_process.name == "openssh"
Scenario: Running bash in interactive mode for script development
Filter/Exclusion: Exclude processes where bash is used in a development environment (e.g., vim, nano, or emacs with shell integration).
Example Filter: process.name == "bash" && process.parent_process.name == "vim" || process.parent_process.name == "nano"
Scenario: Using bash -i in a CI/CD pipeline for interactive testing
Filter/Exclusion: Exclude bash processes that are part of a CI/CD tool (e.g., Jenkins, GitLab CI, GitHub Actions).
Example Filter: process.parent_process.name == "jenkins" || process.parent_process.name == "gitlab-runner" || process.parent_process.name == "github-runner"