T1059 Command and Scripting Interpreter Mappings

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1059 Command and Scripting Interpreter
CM-06 Configuration Settings mitigates T1059 Command and Scripting Interpreter
CM-05 Access Restrictions for Change mitigates T1059 Command and Scripting Interpreter
AC-17 Remote Access mitigates T1059 Command and Scripting Interpreter
IA-09 Service Identification and Authentication mitigates T1059 Command and Scripting Interpreter
IA-08 Identification and Authentication (Non-Organizational Users) mitigates T1059 Command and Scripting Interpreter
SC-18 Mobile Code mitigates T1059 Command and Scripting Interpreter
CM-11 User-installed Software mitigates T1059 Command and Scripting Interpreter
SI-16 Memory Protection mitigates T1059 Command and Scripting Interpreter
SI-02 Flaw Remediation mitigates T1059 Command and Scripting Interpreter
RA-05 Vulnerability Monitoring and Scanning mitigates T1059 Command and Scripting Interpreter
CM-08 System Component Inventory mitigates T1059 Command and Scripting Interpreter
SI-10 Information Input Validation mitigates T1059 Command and Scripting Interpreter
SI-03 Malicious Code Protection mitigates T1059 Command and Scripting Interpreter
SI-07 Software, Firmware, and Information Integrity mitigates T1059 Command and Scripting Interpreter
CM-02 Baseline Configuration mitigates T1059 Command and Scripting Interpreter
CM-02 Baseline Configuration mitigates T1059 Command and Scripting Interpreter
IA-02 Identification and Authentication (Organizational Users) mitigates T1059 Command and Scripting Interpreter
CM-07 Least Functionality mitigates T1059 Command and Scripting Interpreter
SI-04 System Monitoring mitigates T1059 Command and Scripting Interpreter
AC-02 Account Management mitigates T1059 Command and Scripting Interpreter
AC-03 Access Enforcement mitigates T1059 Command and Scripting Interpreter
AC-05 Separation of Duties mitigates T1059 Command and Scripting Interpreter
AC-06 Least Privilege mitigates T1059 Command and Scripting Interpreter

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059 Command and Scripting Interpreter
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1059 Command and Scripting Interpreter
action.hacking.vector.Command shell Remote shell related-to T1059 Command and Scripting Interpreter

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1059 Command and Scripting Interpreter
Comments
Google Security Ops is able to trigger an alert based on system events of interest, for example: decoding Windows payloads using \"certutil.exe\" functionality. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral
References
virus_total Virus Total technique_scores T1059 Command and Scripting Interpreter
Comments
VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats.
References

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
aws_web_application_firewall AWS Web Application Firewall technique_scores T1059 Command and Scripting Interpreter
Comments
The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications: AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet This is given a score of Partial (instead of Minimal) because while it only protects against a subset of sub-techniques, it does provide protections for command and scripting interpreters that do not have sub-techniques (SQL, PHP, etc.). Furthermore, it blocks the malicious content in near real-time.
References

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1059.007 JavaScript 19
T1059.002 AppleScript 16
T1059.010 AutoHotKey & AutoIT 15
T1059.009 Cloud API 11
T1059.008 Network Device CLI 16
T1059.001 PowerShell 21
T1059.004 Unix Shell 14
T1059.011 Lua 14
T1059.006 Python 16
T1059.003 Windows Command Shell 14
T1059.005 Visual Basic 18