1. Home
  2. ATT&CK Techniques
  3. T1059 Command and Scripting Interpreter

T1059 Command and Scripting Interpreter Mappings

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
virus_total Virus Total technique_scores T1059 Command and Scripting Interpreter
Comments
VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats.
References
  1. https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage
  2. https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information
  3. https://assets.virustotal.com/vt-360-outcomes.pdf
chronicle Chronicle technique_scores T1059 Command and Scripting Interpreter
Comments
Chronicle is able to trigger an alert based on system events of interest, for example: decoding Windows payloads using \"certutil.exe\" functionality. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral
References
  1. https://cloud.google.com/chronicle/docs/overview
  2. https://github.com/chronicle/detection-rules

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1059.007 JavaScript 1
T1059.004 Unix Shell 1
T1059.003 Windows Command Shell 1