Skip to content

T1059 Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.321

Item Value
ID T1059
Sub-techniques T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1059.009
Tactics TA0002
Platforms Azure AD, Google Workspace, IaaS, Linux, Network, Office 365, Windows, macOS
Version 2.4
Created 31 May 2017
Last Modified 27 March 2023

Procedure Examples

ID Name Description
G0073 APT19 APT19 downloaded and launched code within a SCT file.39
G0050 APT32 APT32 has used COM scriptlets to download Cobalt Strike beacons.44
G0067 APT37 APT37 has used Ruby scripts to execute payloads.38
G0087 APT39 APT39 has utilized AutoIt and custom scripts to perform internal reconnaissance.2829
S0234 Bandook Bandook can support commands to execute Java-based payloads.23
S0486 Bonadan Bonadan can create bind and reverse shells on the infected system.11
S0023 CHOPSTICK CHOPSTICK is capable of performing remote command execution.1617
S0334 DarkComet DarkComet can execute various types of scripts on the victim’s machine.26
S0695 Donut Donut can generate shellcode outputs that execute via Ruby.9
G0035 Dragonfly Dragonfly has used the command line for execution.46
S0363 Empire Empire uses a command-line interface to interact with systems.8
G0053 FIN5 FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.47
G0037 FIN6 FIN6 has used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.4243
G0046 FIN7 FIN7 used SQL scripts to help perform tasks on the victim’s machine.303130
S0618 FIVEHANDS FIVEHANDS can receive a command line argument to limit file encryption to specified directories.1920
G0117 Fox Kitten Fox Kitten has used a Perl reverse shell to communicate with C2.45
S0460 Get2 Get2 has the ability to run executables with command-line arguments.27
S0032 gh0st RAT gh0st RAT is able to open a remote shell to execute commands.1415
S0434 Imminent Monitor Imminent Monitor has a CommandPromptPacket and ScriptPacket module(s) for creating a remote shell and executing scripts.10
G0004 Ke3chang Malware used by Ke3chang can run commands on the command-line interface.4041
S0487 Kessel Kessel can create a reverse shell between the infected host and a specified system.11
S0167 Matryoshka Matryoshka is capable of providing Meterpreter shell access.18
S0530 Melcoz Melcoz has been distributed through an AutoIt loader script.22
G0049 OilRig OilRig has used various types of scripting for execution.3233343536
C0005 Operation Spalax For Operation Spalax, the threat actors used Nullsoft Scriptable Install System (NSIS) scripts to install malware.49
S0598 P.A.S. Webshell P.A.S. Webshell has the ability to create reverse shells with Perl scripts.25
S0428 PoetRAT PoetRAT has executed a Lua script through a Lua interpreter for Windows.12
S0374 SpeakUp SpeakUp uses Perl scripts.21
G0038 Stealth Falcon Stealth Falcon malware uses WMI to script data collection and command execution on the victim.37
G0107 Whitefly Whitefly has used a simple remote shell tool that will call back to the C2 server and wait for commands.48
G0124 Windigo Windigo has used a Perl script for information gathering.11
S0219 WINERACK WINERACK can create a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows command prompt commands.24
S0330 Zeus Panda Zeus Panda can launch remote scripts on the victim’s machine.13

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware Anti-virus can be used to automatically quarantine suspicious files.
M1040 Behavior Prevention on Endpoint On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic and JavaScript scripts from executing potentially malicious downloaded content 7.
M1045 Code Signing Where possible, only permit execution of signed scripts.
M1042 Disable or Remove Feature or Program Disable or remove any unnecessary or unused shells or interpreters.
M1038 Execution Prevention Use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., Add-Type).6
M1026 Privileged Account Management When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.5
M1021 Restrict Web-Based Content Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0011 Module Module Load
DS0009 Process Process Creation
DS0012 Script Script Execution

References

  1. Abdou Rockikz. (2020, July). How to Execute Shell Commands in a Remote Machine in Python. Retrieved July 26, 2021. 

  2. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020. 

  3. Microsoft. (2020, August 21). Running Remote Commands. Retrieved July 26, 2021. 

  4. Microsoft. (2022, November 17). Just Enough Administration. Retrieved March 27, 2023. 

  5. Sutherland, S. (2014, September 9). 15 Ways to Bypass the PowerShell Execution Policy. Retrieved July 23, 2015. 

  6. PowerShell Team. (2017, November 2). PowerShell Constrained Language Mode. Retrieved March 27, 2023. 

  7. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. 

  8. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  9. TheWover. (2019, May 9). donut. Retrieved March 25, 2022. 

  10. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. 

  11. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. 

  12. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. 

  13. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. 

  14. FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. 

  15. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018. 

  16. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. 

  17. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  18. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  19. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. 

  20. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021. 

  21. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019. 

  22. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  23. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  24. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. 

  25. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. 

  26. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. 

  27. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  28. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. 

  29. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  30. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. 

  31. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. 

  32. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  33. Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018. 

  34. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  35. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  36. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019. 

  37. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. 

  38. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. 

  39. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. 

  40. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. 

  41. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. 

  42. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. 

  43. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. 

  44. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  45. ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020. 

  46. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  47. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. 

  48. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020. 

  49. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. 

  50. Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021.