Shell Invocation via Env Command - Linux

 1title: Shell Invocation via Env Command - Linux
 2id: bed978f8-7f3a-432b-82c5-9286a9b3031a
 3status: test
 4description: |
 5        Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
 6references:
 7    - https://gtfobins.github.io/gtfobins/env/#shell
 8    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
 9author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
10date: 2024-09-02
11modified: 2026-01-08
12tags:
13    - attack.execution
14    - attack.t1059.004
15logsource:
16    category: process_creation
17    product: linux
18detection:
19    selection:
20        Image|endswith: '/env'
21        CommandLine|contains:
22            - '/bin/bash'
23            - '/bin/dash'
24            - '/bin/fish'
25            - '/bin/sh'
26            - '/bin/zsh'
27    condition: selection
28falsepositives:
29    - Github operations such as ghe-backup
30level: high

References

• env | GTFOBins

  

  Living off the land using "env".

  
  Read More

• Linux Restricted Shell Breakout via Linux Binary(s) | Prebuilt detection rules reference

  

  Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning...

  
  Read More

Related rules

• Script Interpreter Spawning Credential Scanner - Linux
• Potential Abuse of Linux Magic System Request Key
• Suspicious Commands Linux
• JexBoss Command Sequence
• Suspicious Download and Execute Pattern via Curl/Wget