Linux Shell Pipe to Shell

Hunt Hypothesis

The Linux Shell Pipe to Shell detection rule identifies adversaries using chained shell commands to execute arbitrary code through a pipeline, potentially bypassing standard command-line parsing and detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover stealthy execution techniques commonly used in advanced persistent threats.

Detection Rule

Sigma (Original)

title: Linux Shell Pipe to Shell
id: 880973f3-9708-491c-a77b-2a35a1921158
status: test
description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
modified: 2022-07-26
tags:
    - attack.defense-evasion
    - attack.t1140
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        CommandLine|startswith:
            - 'sh -c '
            - 'bash -c '
    selection_exec:
        - CommandLine|contains:
              - '| bash '
              - '| sh '
              - '|bash '
              - '|sh '
        - CommandLine|endswith:
              - '| bash'
              - '| sh'
              - '|bash'
              - ' |sh'
    condition: all of selection*
falsepositives:
    - Legitimate software that uses these patterns
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine startswith "sh -c " or TargetProcessCommandLine startswith "bash -c ") and ((TargetProcessCommandLine contains "| bash " or TargetProcessCommandLine contains "| sh " or TargetProcessCommandLine contains "|bash " or TargetProcessCommandLine contains "|sh ") or (TargetProcessCommandLine endswith "| bash" or TargetProcessCommandLine endswith "| sh" or TargetProcessCommandLine endswith "|bash" or TargetProcessCommandLine endswith " |sh"))

False Positive Guidance

• Scenario: Cron job using sh -c to execute a script and pipe output to another command
  Example: sh -c "echo 'test' | grep 'test'"
  Filter/Exclusion: Exclude processes initiated by cron or with command lines containing /usr/bin/cron in the parent process.

• Scenario: System administration task using sh -c to run a command and pipe output to tee for logging
  Example: sh -c "systemctl status ssh | tee /var/log/ssh_status.log"
  Filter/Exclusion: Exclude processes where the command line includes /bin/tee or /usr/bin/tee in the pipeline.

• Scenario: Scheduled backup script that pipes output to gzip for compression
  Example: sh -c "tar -cf - /backup | gzip > /backup.tar.gz"
  Filter/Exclusion: Exclude processes where the command line includes gzip or tar in the pipeline.

• Scenario: Using sh -c to run a multi-step command with | for data processing
  Example: sh -c "curl https://example.com/data | jq '.' > output.json"
  Filter/Exclusion: Exclude processes where the command line includes jq, curl, or other known data processing tools.

• Scenario: Admin using sh -c to run a command and pipe output to less for inspection
  Example: sh -c "journalctl -u ssh | less"
  Filter/Exclusion: Exclude processes where the command line includes less or journalctl in the pipeline.

MITRE ATT&CK Context

• Tactic: Defense Evasion
• Technique: T1140