1. Home
  2. ATT&CK Techniques
  3. T1059 Command and Scripting Interpreter

T1059 Command and Scripting Interpreter Mappings

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1059 Command and Scripting Interpreter
AC-3 Access Enforcement Protects T1059 Command and Scripting Interpreter
AC-5 Separation of Duties Protects T1059 Command and Scripting Interpreter
AC-6 Least Privilege Protects T1059 Command and Scripting Interpreter
CA-8 Penetration Testing Protects T1059 Command and Scripting Interpreter
CM-11 User-installed Software Protects T1059 Command and Scripting Interpreter
CM-2 Baseline Configuration Protects T1059 Command and Scripting Interpreter
CM-5 Access Restrictions for Change Protects T1059 Command and Scripting Interpreter
CM-6 Configuration Settings Protects T1059 Command and Scripting Interpreter
CM-7 Least Functionality Protects T1059 Command and Scripting Interpreter
CM-8 System Component Inventory Protects T1059 Command and Scripting Interpreter
IA-2 Identification and Authentication (organizational Users) Protects T1059 Command and Scripting Interpreter
IA-8 Identification and Authentication (non-organizational Users) Protects T1059 Command and Scripting Interpreter
IA-9 Service Identification and Authentication Protects T1059 Command and Scripting Interpreter
RA-5 Vulnerability Monitoring and Scanning Protects T1059 Command and Scripting Interpreter
SC-18 Mobile Code Protects T1059 Command and Scripting Interpreter
SI-10 Information Input Validation Protects T1059 Command and Scripting Interpreter
SI-2 Flaw Remediation Protects T1059 Command and Scripting Interpreter
SI-3 Malicious Code Protection Protects T1059 Command and Scripting Interpreter
SI-4 System Monitoring Protects T1059 Command and Scripting Interpreter
SI-7 Software, Firmware, and Information Integrity Protects T1059 Command and Scripting Interpreter
CVE-2019-15243 Cisco SPA112 2-Port Phone Adapter primary_impact T1059 Command and Scripting Interpreter
CVE-2019-15976 Cisco Data Center Network Manager secondary_impact T1059 Command and Scripting Interpreter
CVE-2019-15958 Cisco Prime Infrastructure primary_impact T1059 Command and Scripting Interpreter
CVE-2019-1753 Cisco IOS XE Software secondary_impact T1059 Command and Scripting Interpreter
CVE-2019-1942 Cisco Identity Services Engine Software primary_impact T1059 Command and Scripting Interpreter
CVE-2019-15972 Cisco Unified Communications Manager primary_impact T1059 Command and Scripting Interpreter
CVE-2019-1879 Cisco Unified Computing System (Management Software) secondary_impact T1059 Command and Scripting Interpreter
CVE-2020-3403 Cisco IOS XE Software secondary_impact T1059 Command and Scripting Interpreter
CVE-2020-3292 Cisco Small Business RV Series Router Firmware secondary_impact T1059 Command and Scripting Interpreter
CVE-2020-3253 Cisco Firepower Threat Defense Software primary_impact T1059 Command and Scripting Interpreter
CVE-2019-15249 Cisco SPA112 2-Port Phone Adapter primary_impact T1059 Command and Scripting Interpreter
CVE-2019-1781 Cisco NX-OS Software secondary_impact T1059 Command and Scripting Interpreter
CVE-2019-1768 Cisco NX-OS Software secondary_impact T1059 Command and Scripting Interpreter
CVE-2019-1620 Cisco Data Center Network Manager secondary_impact T1059 Command and Scripting Interpreter
CVE-2020-3216 Cisco IOS XE SD-WAN Software secondary_impact T1059 Command and Scripting Interpreter
CVE-2020-3375 Cisco SD-WAN vManage primary_impact T1059 Command and Scripting Interpreter
CVE-2019-15287 Cisco WebEx WRF Player primary_impact T1059 Command and Scripting Interpreter
CVE-2019-15959 Cisco SPA525G2 5-line IP Phone primary_impact T1059 Command and Scripting Interpreter
CVE-2019-1772 Cisco WebEx WRF Player primary_impact T1059 Command and Scripting Interpreter
CVE-2019-1612 Nexus 3000 Series Switches primary_impact T1059 Command and Scripting Interpreter
CVE-2019-1609 MDS 9000 Series Multilayer Switches primary_impact T1059 Command and Scripting Interpreter
CVE-2018-15444 Cisco Energy Management Suite primary_impact T1059 Command and Scripting Interpreter
CVE-2019-1611 Firepower 4100 Series Next-Generation Firewalls primary_impact T1059 Command and Scripting Interpreter
CVE-2019-1812 Cisco NX-OS Software primary_impact T1059 Command and Scripting Interpreter
CVE-2020-3240 Cisco UCS Director secondary_impact T1059 Command and Scripting Interpreter
CVE-2019-1790 Cisco NX-OS Software primary_impact T1059 Command and Scripting Interpreter
CVE-2018-11048 Data Protection Advisor primary_impact T1059 Command and Scripting Interpreter
CVE-2019-3723 OpenManage Server Administrator secondary_impact T1059 Command and Scripting Interpreter
CVE-2018-15776 iDRAC primary_impact T1059 Command and Scripting Interpreter
CVE-2019-3727 RecoverPoint primary_impact T1059 Command and Scripting Interpreter
CVE-2019-3719 SupportAssist Client primary_impact T1059 Command and Scripting Interpreter
CVE-2018-15764 ESRS Policy Manager primary_impact T1059 Command and Scripting Interpreter
CVE-2019-3704 VNX Control Station in Dell EMC VNX2 OE for File primary_impact T1059 Command and Scripting Interpreter
CVE-2019-18582 Data Protection Advisor primary_impact T1059 Command and Scripting Interpreter
CVE-2020-5350 Integrated Data Protection Appliance primary_impact T1059 Command and Scripting Interpreter
CVE-2019-18581 Data Protection Advisor secondary_impact T1059 Command and Scripting Interpreter
CVE-2020-5332 RSA Archer primary_impact T1059 Command and Scripting Interpreter
CVE-2020-15188 soycms primary_impact T1059 Command and Scripting Interpreter
CVE-2020-15147 Red-DiscordBot primary_impact T1059 Command and Scripting Interpreter
CVE-2020-15118 wagtail primary_impact T1059 Command and Scripting Interpreter
CVE-2020-11055 BookStack primary_impact T1059 Command and Scripting Interpreter
CVE-2020-5283 viewvc primary_impact T1059 Command and Scripting Interpreter
CVE-2020-15094 symfony primary_impact T1059 Command and Scripting Interpreter
CVE-2020-15140 Red-DiscordBot primary_impact T1059 Command and Scripting Interpreter
CVE-2020-15096 electron primary_impact T1059 Command and Scripting Interpreter
CVE-2020-15189 soycms secondary_impact T1059 Command and Scripting Interpreter
CVE-2020-5217 secure_headers primary_impact T1059 Command and Scripting Interpreter
CVE-2020-15143 SyliusResourceBundle primary_impact T1059 Command and Scripting Interpreter
CVE-2020-15179 wiki-scratchsig primary_impact T1059 Command and Scripting Interpreter
CVE-2020-15183 soycms primary_impact T1059 Command and Scripting Interpreter
CVE-2020-15162 PrestaShop primary_impact T1059 Command and Scripting Interpreter
CVE-2020-11073 zsh-autoswitch-virtualenv primary_impact T1059 Command and Scripting Interpreter
CVE-2020-5267 actionview primary_impact T1059 Command and Scripting Interpreter
CVE-2020-5297 october secondary_impact T1059 Command and Scripting Interpreter
CVE-2020-5241 matestack-ui-core primary_impact T1059 Command and Scripting Interpreter
CVE-2020-5281 perun primary_impact T1059 Command and Scripting Interpreter
CVE-2020-12029 FactoryTalk View SE secondary_impact T1059 Command and Scripting Interpreter
CVE-2020-6960 Honeywell Maxpro VMS & NVR primary_impact T1059 Command and Scripting Interpreter
CVE-2020-12014 Advantech WebAccess Node primary_impact T1059 Command and Scripting Interpreter
CVE-2018-19007 Geutebrück GmbH E2 Camera Series versions prior to 1.12.0.25 primary_impact T1059 Command and Scripting Interpreter
CVE-2019-18234 Equinox Control Expert primary_impact T1059 Command and Scripting Interpreter
CVE-2020-6964 GE CARESCAPE Telemetry Server,ApexPro Telemetry Server,CARESCAPE Central Station,Clinical Information Center systems,CARESCAPE B450,B650,B850 Monitors secondary_impact T1059 Command and Scripting Interpreter
CVE-2020-14510 GateManager secondary_impact T1059 Command and Scripting Interpreter
CVE-2020-14508 GateManager primary_impact T1059 Command and Scripting Interpreter
CVE-2020-10603 WebAccess/NMS primary_impact T1059 Command and Scripting Interpreter
CVE-2018-17889 PI Studio HMI primary_impact T1059 Command and Scripting Interpreter
CVE-2020-12000 Ignition 8 Gateway primary_impact T1059 Command and Scripting Interpreter
CVE-2018-18987 n/a primary_impact T1059 Command and Scripting Interpreter
CVE-2020-1456 Microsoft SharePoint Enterprise Server primary_impact T1059 Command and Scripting Interpreter
CVE-2018-8607 Microsoft Dynamics 365 primary_impact T1059 Command and Scripting Interpreter
CVE-2019-1031 Microsoft SharePoint Foundation primary_impact T1059 Command and Scripting Interpreter
CVE-2015-2945 n/a uncategorized T1059 Command and Scripting Interpreter
CVE-2014-4114 n/a uncategorized T1059 Command and Scripting Interpreter
CVE-2019-1458 Windows uncategorized T1059 Command and Scripting Interpreter
CVE-2010-3888 n/a uncategorized T1059 Command and Scripting Interpreter
CVE-2015-7912 n/a uncategorized T1059 Command and Scripting Interpreter
CVE-2012-4681 n/a uncategorized T1059 Command and Scripting Interpreter
CVE-2012-0158 n/a uncategorized T1059 Command and Scripting Interpreter
CVE-2020-9380 n/a uncategorized T1059 Command and Scripting Interpreter
CVE-2020-10189 n/a uncategorized T1059 Command and Scripting Interpreter
CVE-2019-2729 WebLogic Server uncategorized T1059 Command and Scripting Interpreter
CVE-2019-2725 Tape Library ACSLS uncategorized T1059 Command and Scripting Interpreter
CVE-2018-10611 MDS PulseNET and MDS PulseNET Enterprise uncategorized T1059 Command and Scripting Interpreter
CVE-2017-18362 n/a uncategorized T1059 Command and Scripting Interpreter
CVE-2016-5062 n/a uncategorized T1059 Command and Scripting Interpreter
CVE-2015-6480 n/a uncategorized T1059 Command and Scripting Interpreter
CVE-2014-6293 n/a uncategorized T1059 Command and Scripting Interpreter
CVE-2012-6498 n/a uncategorized T1059 Command and Scripting Interpreter
CVE-2013-3893 n/a uncategorized T1059 Command and Scripting Interpreter
CVE-2017-14323 n/a uncategorized T1059 Command and Scripting Interpreter
CVE-2020-11651 n/a uncategorized T1059 Command and Scripting Interpreter
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1059 Command and Scripting Interpreter
action.hacking.vector.Command shell Remote shell related-to T1059 Command and Scripting Interpreter
aws_web_application_firewall AWS Web Application Firewall technique_scores T1059 Command and Scripting Interpreter
Comments
The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet This is given a score of Partial (instead of Minimal) because while it only protects against a subset of sub-techniques (3 out of 8), it does provide protections for command and scripting interpreters that do not have sub-techniques (SQL, PHP, etc.). Furthermore, it blocks the malicious content in near real-time.
References
  1. https://aws.amazon.com/waf/
  2. https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html
  3. https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html
  4. https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1059.002 AppleScript 13
T1059.007 JavaScript 48
T1059.008 Network Device CLI 13
T1059.001 PowerShell 20
T1059.006 Python 13
T1059.004 Unix Shell 13
T1059.005 Visual Basic 14
T1059.003 Windows Command Shell 6