T1623 Command and Scripting Interpreter
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic Unix Shell that can be accessed via the Android Debug Bridge (ADB) or Java’s Runtime package.
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.
| Item | Value |
|---|---|
| ID | T1623 |
| Sub-techniques | T1623.001 |
| Tactics | TA0041 |
| Platforms | Android, iOS |
| Version | 1.2 |
| Created | 30 March 2022 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1185 | LightSpy | LightSpy has plugins for executing shell commands either from the C2 server or a library file called zt.dylib.342 |
| S1056 | TianySpy | TianySpy can steal information via malicious JavaScript.5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1002 | Attestation | Device attestation can often detect jailbroken or rooted devices. |
| M1010 | Deploy Compromised Device Detection Method | Mobile security products can typically detect jailbroken or rooted devices. |
References
-
Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022. ↩
-
Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy’s iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025. ↩
-
Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025. ↩
-
ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025. ↩
-
Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023. ↩