T1059 Command and Scripting Interpreter Mappings

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1059 Command and Scripting Interpreter
AC-2 Account Management Protects T1059 Command and Scripting Interpreter
AC-3 Access Enforcement Protects T1059 Command and Scripting Interpreter
AC-5 Separation of Duties Protects T1059 Command and Scripting Interpreter
AC-6 Least Privilege Protects T1059 Command and Scripting Interpreter
CA-7 Continuous Monitoring Protects T1059 Command and Scripting Interpreter
CA-8 Penetration Testing Protects T1059 Command and Scripting Interpreter
CM-11 User-installed Software Protects T1059 Command and Scripting Interpreter
CM-2 Baseline Configuration Protects T1059 Command and Scripting Interpreter
CM-5 Access Restrictions for Change Protects T1059 Command and Scripting Interpreter
CM-6 Configuration Settings Protects T1059 Command and Scripting Interpreter
CM-7 Least Functionality Protects T1059 Command and Scripting Interpreter
CM-8 System Component Inventory Protects T1059 Command and Scripting Interpreter
IA-2 Identification and Authentication (organizational Users) Protects T1059 Command and Scripting Interpreter
IA-8 Identification and Authentication (non-organizational Users) Protects T1059 Command and Scripting Interpreter
IA-9 Service Identification and Authentication Protects T1059 Command and Scripting Interpreter
RA-5 Vulnerability Monitoring and Scanning Protects T1059 Command and Scripting Interpreter
SC-18 Mobile Code Protects T1059 Command and Scripting Interpreter
SI-10 Information Input Validation Protects T1059 Command and Scripting Interpreter
SI-16 Memory Protection Protects T1059 Command and Scripting Interpreter
SI-2 Flaw Remediation Protects T1059 Command and Scripting Interpreter
SI-3 Malicious Code Protection Protects T1059 Command and Scripting Interpreter
SI-4 System Monitoring Protects T1059 Command and Scripting Interpreter
SI-7 Software, Firmware, and Information Integrity Protects T1059 Command and Scripting Interpreter
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059 Command and Scripting Interpreter
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1059 Command and Scripting Interpreter
action.hacking.vector.Command shell Remote shell related-to T1059 Command and Scripting Interpreter

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1059.007 JavaScript 19
T1059.002 AppleScript 19
T1059.008 Network Device CLI 17
T1059.001 PowerShell 21
T1059.004 Unix Shell 14
T1059.006 Python 17
T1059.003 Windows Command Shell 14
T1059.005 Visual Basic 20