Adversaries may use AWK to invoke shell commands as a method to execute arbitrary code, bypassing standard command-line detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activities or persistence mechanisms that evade traditional detection methods.
Detection Rule
title: Suspicious Invocation of Shell via AWK - Linux
id: 8c1a5675-cb85-452f-a298-b01b22a51856
status: test
description: |
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function.
This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
references:
- https://gtfobins.github.io/gtfobins/awk/#shell
- https://gtfobins.github.io/gtfobins/gawk/#shell
- https://gtfobins.github.io/gtfobins/nawk/#shell
- https://gtfobins.github.io/gtfobins/mawk/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/awk'
- '/gawk'
- '/mawk'
- '/nawk'
CommandLine|contains: 'BEGIN {system'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where ((TargetProcessName endswith "/awk" or TargetProcessName endswith "/gawk" or TargetProcessName endswith "/mawk" or TargetProcessName endswith "/nawk") and TargetProcessCommandLine contains "BEGIN {system") and (TargetProcessCommandLine contains "/bin/bash" or TargetProcessCommandLine contains "/bin/dash" or TargetProcessCommandLine contains "/bin/fish" or TargetProcessCommandLine contains "/bin/sh" or TargetProcessCommandLine contains "/bin/zsh")Scenario: Scheduled System Maintenance via Cron
Description: A legitimate cron job runs a script that uses awk to process system logs or generate reports.
Filter/Exclusion: process.parent_process_name = "cron" or process.parent_process_path = "/usr/sbin/cron"
Scenario: Log Analysis with AWK for Security Monitoring
Description: A security team uses awk to parse and analyze system logs for anomalies as part of routine monitoring.
Filter/Exclusion: process.command_line contains "logrotate" or process.command_line contains "syslog"
Scenario: Data Transformation in ETL Pipeline
Description: A data pipeline uses awk to transform and format data during ETL processes.
Filter/Exclusion: process.command_line contains "etl_pipeline.sh" or process.command_line contains "data_transform"
Scenario: Admin Task for User Management via AWK
Description: An admin uses awk to process user information from a CSV file to update user accounts.
Filter/Exclusion: process.command_line contains "user_management.sh" or process.command_line contains "csv"
Scenario: Scripted Backup Process with AWK
Description: A backup script uses awk to process and compress backup data before archiving.
Filter/Exclusion: process.command_line contains "backup_script.sh" or process.command_line contains "tar"