T1623.001 Unix Shell
Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken.
Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.
If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.
| Item | Value |
|---|---|
| ID | T1623.001 |
| Sub-techniques | T1623.001 |
| Tactics | TA0041 |
| Platforms | Android, iOS |
| Version | 1.1 |
| Created | 30 March 2022 |
| Last Modified | 20 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1061 | AbstractEmu | AbstractEmu has included encoded shell scripts to potentially aid in the rooting process.5 |
| S0655 | BusyGasper | BusyGasper can run shell commands.7 |
| S0555 | CHEMISTGAMES | CHEMISTGAMES can run bash commands.2 |
| S0550 | DoubleAgent | DoubleAgent can run arbitrary shell commands.4 |
| S0544 | HenBox | HenBox can run commands as root.6 |
| S0558 | Tiktok Pro | Tiktok Pro can execute commands .3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1002 | Attestation | Device attestation can often detect jailbroken or rooted devices. |
| M1010 | Deploy Compromised Device Detection Method | Mobile security products can typically detect jailbroken or rooted devices. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | API Calls |
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Metadata |
References
-
Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022. ↩
-
B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020. ↩
-
S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021. ↩
-
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. ↩
-
P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. ↩
-
A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019. ↩
-
Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021. ↩