Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript/JScript and Visual Basic.
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1059 | Command and Scripting Interpreter | |
| AC-3 | Access Enforcement | Protects | T1059 | Command and Scripting Interpreter | |
| AC-5 | Separation of Duties | Protects | T1059 | Command and Scripting Interpreter | |
| AC-6 | Least Privilege | Protects | T1059 | Command and Scripting Interpreter | |
| CA-8 | Penetration Testing | Protects | T1059 | Command and Scripting Interpreter | |
| CM-11 | User-installed Software | Protects | T1059 | Command and Scripting Interpreter | |
| CM-2 | Baseline Configuration | Protects | T1059 | Command and Scripting Interpreter | |
| CM-5 | Access Restrictions for Change | Protects | T1059 | Command and Scripting Interpreter | |
| CM-6 | Configuration Settings | Protects | T1059 | Command and Scripting Interpreter | |
| CM-7 | Least Functionality | Protects | T1059 | Command and Scripting Interpreter | |
| CM-8 | System Component Inventory | Protects | T1059 | Command and Scripting Interpreter | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1059 | Command and Scripting Interpreter | |
| IA-8 | Identification and Authentication (non-organizational Users) | Protects | T1059 | Command and Scripting Interpreter | |
| IA-9 | Service Identification and Authentication | Protects | T1059 | Command and Scripting Interpreter | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1059 | Command and Scripting Interpreter | |
| SC-18 | Mobile Code | Protects | T1059 | Command and Scripting Interpreter | |
| SI-10 | Information Input Validation | Protects | T1059 | Command and Scripting Interpreter | |
| SI-2 | Flaw Remediation | Protects | T1059 | Command and Scripting Interpreter | |
| SI-3 | Malicious Code Protection | Protects | T1059 | Command and Scripting Interpreter | |
| SI-4 | System Monitoring | Protects | T1059 | Command and Scripting Interpreter | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1059 | Command and Scripting Interpreter | |
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1059 | Command and Scripting Interpreter |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | technique_scores | T1059 | Command and Scripting Interpreter |
Comments
This control may alert on suspicious Unix shell and PHP execution. Mismatched script extensions may also generate alerts of suspicious activity. Only one of the technique's sub-techniques is covered, resulting in a score of Minimal.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1059 | Command and Scripting Interpreter |
Comments
This control provides minimal coverage for most of this technique's sub-techniques, along with additional mappings for its procedure examples, resulting in an overall score of Minimal.
The following Azure Sentinel Hunting queries can identify potentially malicious use of command and scripting interpreters that does not map directly to one/more sub-techniques: "Anomalous Code Execution" can identifyanomalous runCommand operations on virtual machines, "Azure CloudShell Usage" can identify potentially malicious use of CloudShell, "New processes observed in last 24 hours", "Rare processes run by Service accounts", and "Rare Custom Script Extension" can identify execution outliers that may suggest misuse.
The following Azure Sentinel Analytics queries can identify potentially malicious use of command and scripting interpreters that does not map directly to one/more sub-techniques: "New CloudShell User" can identify potentially malicious use of CloudShell, "Rare and Potentially high-risk Office operations" can identify specific rare mailbox-related ccount and permission changes via execution.
References
|
| microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1059 | Command and Scripting Interpreter |
Comments
This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
|
| azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1059 | Command and Scripting Interpreter |
Comments
This control provides minimal detection for this technique's procedure examples and only two of its sub-techniques (only certain specific sub-technique behaviors), resulting in a Minimal score.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1059.002 | AppleScript | 10 |
| T1059.007 | JavaScript/JScript | 11 |
| T1059.008 | Network Device CLI | 10 |
| T1059.001 | PowerShell | 20 |
| T1059.006 | Python | 11 |
| T1059.004 | Unix Shell | 6 |
| T1059.005 | Visual Basic | 12 |
| T1059.003 | Windows Command Shell | 5 |