Adversaries may use suspicious interactive Bash processes to execute uncommon child processes as part of command and control or persistence activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise through unusual process chain interactions.
Detection Rule
title: Interactive Bash Suspicious Children
id: ea3ecad2-db86-4a89-ad0b-132a10d2db55
status: test
description: Detects suspicious interactive bash as a parent to rather uncommon child processes
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
tags:
- attack.execution
- attack.defense-evasion
- attack.t1059.004
- attack.t1036
logsource:
product: linux
category: process_creation
detection:
selection:
ParentCommandLine: 'bash -i'
anomaly1:
CommandLine|contains:
- '-c import '
- 'base64'
- 'pty.spawn'
anomaly2:
Image|endswith:
- 'whoami'
- 'iptables'
- '/ncat'
- '/nc'
- '/netcat'
condition: selection and 1 of anomaly*
falsepositives:
- Legitimate software that uses these patterns
level: medium
imProcessCreate
| where ActingProcessCommandLine =~ "bash -i" and ((TargetProcessCommandLine contains "-c import " or TargetProcessCommandLine contains "base64" or TargetProcessCommandLine contains "pty.spawn") or (TargetProcessName endswith "whoami" or TargetProcessName endswith "iptables" or TargetProcessName endswith "/ncat" or TargetProcessName endswith "/nc" or TargetProcessName endswith "/netcat"))Scenario: A system administrator is using bash to run a scheduled job via cron that executes a legitimate script, such as /usr/local/bin/backup_script.sh.
Filter/Exclusion: Check if the parent process is a known cron daemon (cron or crond) and exclude processes with parent PIDs matching the cron service.
Scenario: A developer is using bash to run a Docker container via docker run, which spawns a child process like dockerd or containerd.
Filter/Exclusion: Exclude processes where the child is a Docker-related process (dockerd, containerd, runc) and the parent is a known Docker CLI tool.
Scenario: A system update is being performed using yum or apt, which spawns child processes like yum-updatesd or aptdaemon.
Filter/Exclusion: Exclude processes where the child is a package manager service (yum-updatesd, aptdaemon, apt, apt-get) and the parent is a known update tool.
Scenario: A user is running a legitimate interactive shell session (e.g., bash) that spawns a child process like vim or nano for editing a configuration file.
Filter/Exclusion: Exclude child processes that are standard text editors (vim, nano, emacs) and are launched from an interactive shell session.
Scenario: A system is running a legitimate service that uses bash to launch a child process like sshd or nginx during startup.
Filter/Exclusion: Exclude processes where the child is a known service process (sshd, nginx, httpd) and the parent is a systemd or init process.