T1059 Command and Scripting Interpreter Mappings

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript/JScript and Visual Basic.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1059 Command and Scripting Interpreter
AC-3 Access Enforcement Protects T1059 Command and Scripting Interpreter
AC-5 Separation of Duties Protects T1059 Command and Scripting Interpreter
AC-6 Least Privilege Protects T1059 Command and Scripting Interpreter
CA-8 Penetration Testing Protects T1059 Command and Scripting Interpreter
CM-11 User-installed Software Protects T1059 Command and Scripting Interpreter
CM-2 Baseline Configuration Protects T1059 Command and Scripting Interpreter
CM-5 Access Restrictions for Change Protects T1059 Command and Scripting Interpreter
CM-6 Configuration Settings Protects T1059 Command and Scripting Interpreter
CM-7 Least Functionality Protects T1059 Command and Scripting Interpreter
CM-8 System Component Inventory Protects T1059 Command and Scripting Interpreter
IA-2 Identification and Authentication (organizational Users) Protects T1059 Command and Scripting Interpreter
IA-8 Identification and Authentication (non-organizational Users) Protects T1059 Command and Scripting Interpreter
IA-9 Service Identification and Authentication Protects T1059 Command and Scripting Interpreter
RA-5 Vulnerability Monitoring and Scanning Protects T1059 Command and Scripting Interpreter
SC-18 Mobile Code Protects T1059 Command and Scripting Interpreter
SI-10 Information Input Validation Protects T1059 Command and Scripting Interpreter
SI-2 Flaw Remediation Protects T1059 Command and Scripting Interpreter
SI-3 Malicious Code Protection Protects T1059 Command and Scripting Interpreter
SI-4 System Monitoring Protects T1059 Command and Scripting Interpreter
SI-7 Software, Firmware, and Information Integrity Protects T1059 Command and Scripting Interpreter
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1059 Command and Scripting Interpreter
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration technique_scores T1059 Command and Scripting Interpreter
Comments
This control may alert on suspicious Unix shell and PHP execution. Mismatched script extensions may also generate alerts of suspicious activity. Only one of the technique's sub-techniques is covered, resulting in a score of Minimal.
References
azure_sentinel Azure Sentinel technique_scores T1059 Command and Scripting Interpreter
Comments
This control provides minimal coverage for most of this technique's sub-techniques, along with additional mappings for its procedure examples, resulting in an overall score of Minimal. The following Azure Sentinel Hunting queries can identify potentially malicious use of command and scripting interpreters that does not map directly to one/more sub-techniques: "Anomalous Code Execution" can identifyanomalous runCommand operations on virtual machines, "Azure CloudShell Usage" can identify potentially malicious use of CloudShell, "New processes observed in last 24 hours", "Rare processes run by Service accounts", and "Rare Custom Script Extension" can identify execution outliers that may suggest misuse. The following Azure Sentinel Analytics queries can identify potentially malicious use of command and scripting interpreters that does not map directly to one/more sub-techniques: "New CloudShell User" can identify potentially malicious use of CloudShell, "Rare and Potentially high-risk Office operations" can identify specific rare mailbox-related ccount and permission changes via execution.
References
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1059 Command and Scripting Interpreter
Comments
This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
azure_defender_for_app_service Azure Defender for App Service technique_scores T1059 Command and Scripting Interpreter
Comments
This control provides minimal detection for this technique's procedure examples and only two of its sub-techniques (only certain specific sub-technique behaviors), resulting in a Minimal score.
References

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1059.002 AppleScript 10
T1059.007 JavaScript/JScript 11
T1059.008 Network Device CLI 10
T1059.001 PowerShell 20
T1059.006 Python 11
T1059.004 Unix Shell 6
T1059.005 Visual Basic 12
T1059.003 Windows Command Shell 5