DET0384: Behavioral Detection of Unix Shell Execution
DET0384 is a detection strategy for identifying Unix shell execution behavior associated with ATT&CK technique T1059.004. Its business significance is that...
Analyst context for executives and security teams
DET0384 is a detection strategy for identifying Unix shell execution behavior associated with ATT&CK technique T1059.004. Its business significance is that Unix shells are normal administrative tools on Linux, macOS, ESXi, and network devices, but they also provide a direct way to execute commands and scripts. Leaders should treat this as a control-validation topic: can the organization distinguish expected administration and automation from suspicious shell use on systems that support critical business services?
Executive priority
Prioritize this where Linux, macOS, ESXi, or network device environments support business-critical operations. The key decision value is not simply whether shell execution can be logged, but whether SOC and incident response teams can rapidly answer who launched a shell, from where, on which asset, under what account, and whether the activity aligns with approved administration. This supports operational resilience, audit evidence for monitoring controls, and faster incident triage when command execution is suspected.
Technical view
The supplied ATT&CK relationship states that this strategy detects Unix Shell, a technique under the execution tactic, with related platforms ESXi, Linux, macOS, and Network Devices. SOC and detection engineering teams should validate visibility into shell process execution and script invocation across those environments, especially common shells such as sh, ash, bash, and zsh where applicable. Because no official MITRE detection text is provided for DET0384, local detections should be built and tested against environment-specific baselines for administrative, automation, deployment, and maintenance activity.
Likely telemetry
- Process creation or command execution records showing shell binaries and parent/child process relationships
- Script execution evidence, including command-line arguments where collected
- User, service account, and privilege context associated with shell execution
- Host or device inventory identifying Linux, macOS, ESXi, and network device coverage
- Remote administration, automation, or management-session logs that can explain legitimate shell use
Detection direction
- Confirm which related platforms actually produce usable shell execution telemetry; network devices and ESXi may have different logging depth than general-purpose hosts.
- Tune detections around context rather than shell name alone, because shell execution is common and often legitimate.
- Baseline expected administrative and automation patterns, including parent processes, service accounts, maintenance windows, and managed tooling.
- Prioritize review of shell execution on high-value or sensitive systems where unexpected command execution would materially affect operations.
- Correlate shell activity with identity context and asset criticality to reduce false positives and improve triage quality.
Mitigation priorities
- Establish complete asset and platform scope for Linux, macOS, ESXi, and network devices that require monitoring.
- Enable and retain appropriate command/process/session logging where supported and permitted by policy.
- Limit administrative shell access to approved users, service accounts, and management paths.
- Use change-management and maintenance-window context to help separate expected shell use from suspicious execution.
- Review privileged account controls and remote administration practices for systems where shell access can affect critical operations.
Analyst notes and limits
This take is based on the ATT&CK detection strategy object DET0384 and its relationship to T1059.004 Unix Shell. The object itself does not include an official description, official detection text, tactics, or platforms; the practical scope comes from the related technique, which lists execution as the tactic and ESXi, Linux, macOS, and Network Devices as platforms.
Because the supplied DET0384 fields are sparse, this summary cannot assert specific analytic logic, data components, detection efficacy, adversary usage, or active exploitation. Local environment evidence is required to determine actual telemetry coverage, false-positive patterns, and control gaps.
Behavioral Detection of Unix Shell Execution
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.004 | Unix Shell Sub-technique | This object detects Unix Shell. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 33eb8be2f0c2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0384Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.