Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.IR-01.08 | End-user device access | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement protects endpoints from abuse of commands and scripts through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement protects against Command and Scripting Interpreter through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement protects against Command and Scripting Interpreter through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement provides protection from Command and Scripting Interpreter through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining along with disallowing scripts and integrity checking can help protect against adversaries that may abuse command and script interpreters.
References
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement prevents adversaries from abusing commands, scripts, or binaries by blocking the execution of scripts and malicious code that pop up via adblockers and ads.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement protects against Command and Scripting Interpreter through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement protects against Command and Scripting Interpreter through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1059 | Command and Scripting Interpreter | |
| action.hacking.variety.OS commanding | OS commanding. Child of 'Exploit vuln'. | related-to | T1059 | Command and Scripting Interpreter | |
| action.hacking.vector.Command shell | Remote shell | related-to | T1059 | Command and Scripting Interpreter |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1059 | Command and Scripting Interpreter |
Comments
This control may alert on suspicious Unix shell and PHP execution. Mismatched script extensions may also generate alerts of suspicious activity. Only one of the technique's sub-techniques is covered, resulting in a score of Minimal.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1059 | Command and Scripting Interpreter |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1059 | Command and Scripting Interpreter |
Comments
This control provides minimal detection for this technique's procedure examples and only two of its sub-techniques (only certain specific sub-technique behaviors), resulting in a Minimal score.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1059 | Command and Scripting Interpreter |
Comments
Google Security Ops is able to trigger an alert based on system events of interest, for example: decoding Windows payloads using \"certutil.exe\" functionality.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral
References
|
| virus_total | Virus Total | technique_scores | T1059 | Command and Scripting Interpreter |
Comments
VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_web_application_firewall | AWS Web Application Firewall | technique_scores | T1059 | Command and Scripting Interpreter |
Comments
The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications: AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet
This is given a score of Partial (instead of Minimal) because while it only protects against a subset of sub-techniques, it does provide protections for command and scripting interpreters that do not have sub-techniques (SQL, PHP, etc.). Furthermore, it blocks the malicious content in near real-time.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1059.007 | JavaScript | 21 |
| T1059.002 | AppleScript | 19 |
| T1059.010 | AutoHotKey & AutoIT | 16 |
| T1059.009 | Cloud API | 16 |
| T1059.008 | Network Device CLI | 22 |
| T1059.001 | PowerShell | 35 |
| T1059.004 | Unix Shell | 16 |
| T1059.011 | Lua | 15 |
| T1059.006 | Python | 23 |
| T1059.003 | Windows Command Shell | 15 |
| T1059.005 | Visual Basic | 26 |