Command and Scripting Interpreter (T1059)

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic. Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)

Source: https://github.com/mitre/cti
Related Prelude attack chains
Release Date (Newest)
Filterfilter
Search for chains, TTPs, themes, and text

Browse By:

Platforms

  • All
  • Windows
  • Linux
  • Darwin
  • Global
  • Android

Themes

Tags

Licenses

APT40 Find and Exfiltrate

2022-05-10

/static/assets/linux-logo.svg/static/assets/apple-logo.svg/static/assets/windows-logo.svg
Find and exfiltrate files that potentially contain cleartext usernames or passwords based on filename.
APT40 educational institutions

2022-05-03

/static/assets/windows-logo.svg/static/assets/apple-logo.svg/static/assets/linux-logo.svg
Perform process injection and native API execution techniques.
Operation Ghost

2022-03-15

/static/assets/linux-logo.svg
Emulating APT 29 malware loader via steganography.
Jambi Modules

2021-11-16

/static/assets/windows-logo.svg
Use Powershell functions to create a script implant that dynamically resolves and loads modules at runtime.
JXA Modules

2021-10-05

/static/assets/apple-logo.svg
Use JXA to create a fully modular file-less implant that dynamically resolves and load modules at runtime.
JXA Access

2021-08-24

/static/assets/apple-logo.svg
Use JXA to load a file-less agent into memory and create persistence mechanisms on OS X.
Baron Samedit (Persistence)

2021-08-10

/static/assets/linux-logo.svg
Leverage a Heap-Based Buffer Overflow in Sudo to create a persistence user.
Ransomware

2021-08-10

/static/assets/windows-logo.svg/static/assets/linux-logo.svg/static/assets/apple-logo.svg
Deploy a safe cross-platform ransomware attack.
GhostLoader

2021-07-06

/static/assets/windows-logo.svg
Use the "GhostLoader" technique to run assemblies compiled on the target system.