T1059 Command and Scripting Interpreter Mappings

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript/JScript and Visual Basic.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1059 Command and Scripting Interpreter
AC-3 Access Enforcement Protects T1059 Command and Scripting Interpreter
AC-5 Separation of Duties Protects T1059 Command and Scripting Interpreter
AC-6 Least Privilege Protects T1059 Command and Scripting Interpreter
CA-8 Penetration Testing Protects T1059 Command and Scripting Interpreter
CM-11 User-installed Software Protects T1059 Command and Scripting Interpreter
CM-2 Baseline Configuration Protects T1059 Command and Scripting Interpreter
CM-5 Access Restrictions for Change Protects T1059 Command and Scripting Interpreter
CM-6 Configuration Settings Protects T1059 Command and Scripting Interpreter
CM-7 Least Functionality Protects T1059 Command and Scripting Interpreter
CM-8 System Component Inventory Protects T1059 Command and Scripting Interpreter
IA-2 Identification and Authentication (organizational Users) Protects T1059 Command and Scripting Interpreter
IA-8 Identification and Authentication (non-organizational Users) Protects T1059 Command and Scripting Interpreter
IA-9 Service Identification and Authentication Protects T1059 Command and Scripting Interpreter
RA-5 Vulnerability Monitoring and Scanning Protects T1059 Command and Scripting Interpreter
SC-18 Mobile Code Protects T1059 Command and Scripting Interpreter
SI-10 Information Input Validation Protects T1059 Command and Scripting Interpreter
SI-2 Flaw Remediation Protects T1059 Command and Scripting Interpreter
SI-3 Malicious Code Protection Protects T1059 Command and Scripting Interpreter
SI-4 System Monitoring Protects T1059 Command and Scripting Interpreter
SI-7 Software, Firmware, and Information Integrity Protects T1059 Command and Scripting Interpreter
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1059 Command and Scripting Interpreter
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration technique_scores T1059 Command and Scripting Interpreter
azure_sentinel Azure Sentinel technique_scores T1059 Command and Scripting Interpreter
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1059 Command and Scripting Interpreter
azure_defender_for_app_service Azure Defender for App Service technique_scores T1059 Command and Scripting Interpreter

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1059.002 AppleScript 10
T1059.007 JavaScript/JScript 11
T1059.008 Network Device CLI 10
T1059.001 PowerShell 20
T1059.006 Python 11
T1059.004 Unix Shell 6
T1059.005 Visual Basic 12
T1059.003 Windows Command Shell 5