Adversaries may use the env command to invoke a shell as a method to bypass execution restrictions or execute arbitrary code in a Linux environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation or command injection attempts that evade traditional detection mechanisms.
Detection Rule
title: Shell Invocation via Env Command - Linux
id: bed978f8-7f3a-432b-82c5-9286a9b3031a
status: test
description: |
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
references:
- https://gtfobins.github.io/gtfobins/env/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/env'
CommandLine|endswith:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: selection
falsepositives:
- Github operations such as ghe-backup
level: high
imProcessCreate
| where TargetProcessName endswith "/env" and (TargetProcessCommandLine endswith "/bin/bash" or TargetProcessCommandLine endswith "/bin/dash" or TargetProcessCommandLine endswith "/bin/fish" or TargetProcessCommandLine endswith "/bin/sh" or TargetProcessCommandLine endswith "/bin/zsh")Scenario: Scheduled Job Using env to Set Environment Variables
Description: A legitimate scheduled job (e.g., cron job) uses env to set environment variables before executing a script.
Filter/Exclusion: Check for env usage in cron jobs or systemd timers, and exclude paths like /usr/bin/env when used in scripts with known legitimate purposes.
Scenario: Admin Task Using env to Run a Script in a Specific Environment
Description: An administrator uses env to invoke a script in a specific environment (e.g., env PATH=/opt/myapp/bin /opt/myapp/bin/my_script.sh).
Filter/Exclusion: Exclude processes initiated by users with administrative privileges or those running scripts in known legitimate directories like /opt/ or /usr/local/.
Scenario: Containerized Application Using env to Set Configuration
Description: A containerized application (e.g., Docker or Kubernetes) uses env to set environment variables for configuration purposes.
Filter/Exclusion: Exclude processes running inside containers, identified by the presence of container-specific identifiers in the process tree or environment variables like container_id or docker.
Scenario: Debugging Session Using env to Test Shell Behavior
Description: A developer uses env to test shell behavior or debug a script by invoking a shell with modified environment variables.
Filter/Exclusion: Exclude processes initiated from known development tools or user sessions with debug flags (e.g., strace, gdb, or bash -x).
Scenario: Legacy System Compatibility Using env to Run Old Binaries
Description: A legacy system or compatibility layer uses env to execute older binaries that require specific environment settings.
Filter/Exclusion: Exclude processes running in directories