T1059.004 — Unix Shell

Technique

T1059.004

Tactics

Execution

MISP citations

0

KEV CVEs mapped

14

Community rules

18

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1059/004

MITRE description

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. Some systems, such as embedded devices, lightweight Linux distributions, and ESXi servers, may leverage stripped-down Unix shells via Busybox, a small executable that contains a variety of tools, including a simple shell.

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2025-25257
• CVE-2024-27443
• CVE-2024-24919
• CVE-2023-46604
• CVE-2023-44221
• CVE-2023-39780
• CVE-2023-38831
• CVE-2022-20700
• CVE-2022-20699
• CVE-2021-36380
• CVE-2019-0708
• CVE-2016-10033
• CVE-2014-7169
• CVE-2014-6271

Detection coverage

SigmaHQ community rules

• Axios NPM Compromise Indicators - Linux (emerging-threats)
• Axios NPM Compromise Indicators - macOS (emerging-threats)
• Potentially Suspicious Long Filename Pattern - Linux (threat-hunting)
• AWS EC2 Startup Shell Script Change (core)
• Suspicious Commands Linux (core)
• Potential Abuse of Linux Magic System Request Key (core)
• Equation Group Indicators (core)
• Suspicious Activity in Shell Commands (core)
• Suspicious Reverse Shell Command Line (core)
• JexBoss Command Sequence (core)
• Suspicious Filename with Embedded Base64 Commands (core)
• Linux Reverse Shell Indicator (core)
• BPFtrace Unsafe Option Usage (core)
• Suspicious Download and Execute Pattern via Curl/Wget (core)
• Shell Invocation via Env Command - Linux (core)
• Nohup Execution (core)
• Interactive Bash Suspicious Children (core)
• Script Interpreter Spawning Credential Scanner - Linux (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.