Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AIS-08 | API Security | mitigates | T1059 | Command and Scripting Interpreter |
Comments
This control implements measures to secure APIs. Using application control and monitoring for and blocking malicious API calls can help prevent adversaries from abusing APIs to execute malicious commands.
References
|
| IAM-16 | Authorization Mechanisms | mitigates | T1059 | Command and Scripting Interpreter |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| I&S-04 | OS Hardening and Base Controls | mitigates | T1059 | Command and Scripting Interpreter |
Comments
This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Use of application control and disabling or removing any unnecessary or unused shells or interpreters can mitigate adversary use of command and script interpreters to execute malicious commands.
References
|
| UEM-05 | Endpoint Management | mitigates | T1059 | Command and Scripting Interpreter |
Comments
This control provides for the implementation of best practices for endpoint management. The execution of unauthorized or malicious code on systems through abuse of command and script interpreters can be prevented by implementing application control, script blocking, and other execution prevention mechanisms.
References
|
| UEM-09 | Anti-Malware Detection and Prevention | mitigates | T1059 | Command and Scripting Interpreter |
Comments
This control describes the implementation of endpoint security, including anti-malware software, to mitigate the risk of exploitation by threat actors. The implementation guidance provides several examples of that the technical measures under Anti-Malware should aid with preventing which include:
Scan installed software and system data content to identify and remove unauthorized code/software.
Prohibit the use of installation of unauthorized software.
Restricting on obtaining malicious data and software from external networks.
Endpoint removable media management.
References
|
| IPY-02 | Application Interface Availability | mitigates | T1059 | Command and Scripting Interpreter |
Comments
This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments.
References
|
| UEM-14 | Third-Party Endpoint Security Posture | mitigates | T1059 | Command and Scripting Interpreter |
Comments
This control provides for the implementation of best practices for third-party endpoint management. The execution of unauthorized or malicious code on systems through abuse of command and script interpreters can be prevented by implementing application control, script blocking, and other execution prevention mechanisms.
References
|
| AIS-04 | Secure Application Design and Development | mitigates | T1059 | Command and Scripting Interpreter |
Comments
This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. Adversaries will use T1059 for various command injection attacks through web application interfaces. Securing serverless functions, cloud APIs, and web applications from command injection can help in mitigating this technique.
References
|
| AIS-05 | Automated Application Security Testing | mitigates | T1059 | Command and Scripting Interpreter |
Comments
The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. Adversaries may attempt to exploit a weakness in an Internet-facing host or application by using techniques such as as SQL injection, command injections, Cross-site scripting (XSS), and Cross-Site Request Forgery (CSRF).
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1059.009 | Cloud API | 8 |
| T1059.001 | PowerShell | 1 |
| T1059.006 | Python | 1 |
| T1059.005 | Visual Basic | 1 |