Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1059 | Command and Scripting Interpreter | |
| action.hacking.variety.OS commanding | OS commanding. Child of 'Exploit vuln'. | related-to | T1059 | Command and Scripting Interpreter | |
| action.hacking.vector.Command shell | Remote shell | related-to | T1059 | Command and Scripting Interpreter | |
| aws_web_application_firewall | AWS Web Application Firewall | technique_scores | T1059 | Command and Scripting Interpreter |
Comments
The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications: AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet
This is given a score of Partial (instead of Minimal) because while it only protects against a subset of sub-techniques, it does provide protections for command and scripting interpreters that do not have sub-techniques (SQL, PHP, etc.). Furthermore, it blocks the malicious content in near real-time.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1059.007 | JavaScript | 4 |
| T1059.002 | AppleScript | 3 |
| T1059.010 | AutoHotKey & AutoIT | 3 |
| T1059.009 | Cloud API | 4 |
| T1059.008 | Network Device CLI | 2 |
| T1059.001 | PowerShell | 3 |
| T1059.004 | Unix Shell | 4 |
| T1059.011 | Lua | 3 |
| T1059.006 | Python | 2 |
| T1059.003 | Windows Command Shell | 3 |
| T1059.005 | Visual Basic | 3 |