Skip to content

T1623 Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic Unix Shell that can be accessed via the Android Debug Bridge (ADB) or Java’s Runtime package.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.

Item Value
ID T1623
Sub-techniques T1623.001
Tactics TA0041
Platforms Android, iOS
Version 1.1
Created 30 March 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S1056 TianySpy TianySpy can steal information via malicious JavaScript.2

Mitigations

ID Mitigation Description
M1002 Attestation Device attestation can often detect jailbroken or rooted devices.
M1010 Deploy Compromised Device Detection Method Mobile security products can typically detect jailbroken or rooted devices.

Detection

ID Data Source Data Component
DS0041 Application Vetting API Calls
DS0009 Process Process Creation

References

  1. Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022. 

  2. Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.