T1059: Command and Scripting Interpreter
| View on MITRE ATT&CK | T1059 |
|---|---|
| Tactic(s) | Execution |
Data from MITRE ATT&CK®:
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
This cybersecurity advisory from the U.S. Federal Bureau of Investigation (FBI) and its partners, highlights the cyber espionage activities of the ...
Flax Typhoon using legitimate software to quietly access Taiwanese organizations
This blog post by Microsoft Threat Intelligence outlines the Flax Typhoon intrusion set and TTPs demonstrated by the group. It describes the actor ...
ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
This blog post from Cisco Talos discusses ArcaneDoor, an espionage-focused campaign targeting perimeter network devices, which are crucial for ...
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
This blog post by threat researchers at Mandiant outlines intrusions activity by the UNC3886 intrusion set which involved the deployment of ...
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
GhostSec’s joint ransomware operation and evolution of their arsenal
This Threat Spotlight from Cisco Talos describes the evolution of GhostSec's ransomware operations including their work with the Stormous ...
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
CACTUS Ransomware: Prickly New Variant Evades Detection
This report by Kroll outlines TTPs and IoCs associated with CACTUS ransomware actors.
Mitigations for this technique
MITRE ATT&CK Mitigations
Execution Prevention
Block execution of code on a system through application control, and/or script blocking.Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.Code Signing
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Restrict Web-Based Content
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.How to detect this technique
MITRE ATT&CK Data Components
Module Load (Module)
Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Process Metadata (Process)
Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Script Execution (Script)
The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
Php Inline Command Execution
Renamed NirCmd.EXE Execution
Ruby Inline Command Execution
HackTool - Stracciatella Execution
Suspicious Execution via macOS Script Editor
Azure New CloudShell Created
Payload Decoded and Decrypted via Built-in Utilities
Parent in Public Folder Suspicious Process
Suspicious Installer Package Child Process
Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
Suspicious Script Execution From Temp Folder
Add New Download Source To Winget
Perl Inline Command Execution
Suspicious Greedy Compression Using Rar.EXE
Use of Pcalua For Execution
Renamed PingCastle Binary Execution
Suspicious File Created In PerfLogs
Writing Of Malicious Files To The Fonts Folder
Potential CobaltStrike Process Patterns
Windows Shell/Scripting Application File Write to Suspicious Folder
Conhost Spawned By Uncommon Parent Process
Abusable DLL Potential Sideloading From Suspicious Location
Outlook EnableUnsafeClientMailRules Setting Enabled
PUA - Wsudo Suspicious Execution
Windows Defender AMSI Trigger Detected
Sysprep on AppData Folder
LOLBIN Execution Of The FTP.EXE Binary
Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
VMToolsd Suspicious Child Process
Use of FSharp Interpreters
Suspicious Runscripthelper.exe
Windows Defender Exclusions Added - PowerShell
Unusual Parent Process For Cmd.EXE
Wscript Shell Run In CommandLine
Renamed FTP.EXE Execution
Suspicious Browser Child Process - MacOS
Python Spawning Pretty TTY on Windows
Add Potential Suspicious New Download Source To Winget
Suspicious Program Names
Python Inline Command Execution
Suspicious RASdial Activity
PCRE.NET Package Image Load
Add Insecure Download Source To Winget
Suspicious Java Children Processes
Install New Package Via Winget Local Manifest
PCRE.NET Package Temp Files
Atlassian Confluence CVE-2022-26134
Python Spawning Pretty TTY
Forfiles Command Execution
PowerShell Download and Execution Cradles
HackTool - Sliver C2 Implant Activity Pattern
Renamed CURL.EXE Execution
Suspicious Scan Loop Network
BPFDoor Abnormal Process ID or Lock File Accessed
Suspicious Remote Child Process From Outlook
Windows Defender Threat Detected
Run PowerShell Script from Redirected Input Stream
Use of OpenConsole
Potential Xterm Reverse Shell
Potential Netcat Reverse Shell Execution
Script Interpreter Execution From Suspicious Folder
Hacktool Ruler
Elevated System Shell Spawned From Uncommon Parent Location
Fsutil Behavior Set SymlinkEvaluation
Potential Dosfuscation Activity
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.