Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, many Linux distributions include Bash as a default shell while Windows installations include the Windows Command Shell and PowerShell.

There are also additional third-party interpreters, such as Python, that may also be cross-platform.

ID: T1059
Tactic: Execution
Platforms: Linux, Windows, macOS
Permissions Required: User
Data Sources: PowerShell logs, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Version: 2.0
Created: 31 May 2017
Last Modified: 28 March 2020

Procedure Examples

Name Description
APT19

APT19 downloaded and launched code within a SCT file.[39]

APT37

APT37 executes shellcode and a VBA script to decode Base64 strings.[54]

Astaroth

Astaroth uses JavaScript to perform its core functionalities. [21]

CHOPSTICK

CHOPSTICK is capable of performing remote command execution.[7][8]

Cobalt Group

Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution and executed JavaScript scriptlets on the victim's machine.[46][47][48][49][50][51]

Cobalt Strike

Cobalt Strike can use VBA, PowerSploit, and other scripting frameworks to perform execution.[3][4]

DarkComet

DarkComet can execute various types of scripts on the victim’s machine.[13]

Denis

Denis executes shellcode on the victim's machine.[15]

Dragonfly 2.0

Dragonfly 2.0 used command line for execution.[30]

Emotet

Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. [16][17][18][19][20]

Empire

Empire uses a command-line interface to interact with systems.[2]

Exaramel for Windows

Exaramel for Windows can execute GO scripts.[5]

FIN4

FIN4 has used VBA macros to display a dialog box and collect victim credentials.[52][53]

FIN5

FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.[45]

FIN6

FIN6 has also used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.[42][43]

FIN7

FIN7 used SQL and JavaScript scripts to help perform tasks on the victim's machine.[40][41][40]

gh0st RAT

gh0st RAT is able to open a remote shell to execute commands.[10][11]

jRAT

jRAT has been distributed as HTA files with JScript.[29]

Ke3chang

Malware used by Ke3chang can run commands on the command-line interface.[37][38]

Leafminer

Leafminer infected victims using JavaScript code.[44]

Matroyshka

Matroyshka is capable of providing Meterpreter shell access.[12]

NanHaiShu

NanHaiShu executes additional Jscript code on the victim's machine.[24]

OilRig

OilRig has used various types of scripting for execution.[32][33][34][35][36]

OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D uses macros for execution.[14]

POWERSTATS

POWERSTATS can use JavaScript code for execution.[28]

PUNCHBUGGY

PUNCHBUGGY has used shellcode scripts.[25]

Silence

Silence has used JS scripts.[55]

SpeakUp

SpeakUp uses Perl scripts.[26]

Stealth Falcon

Stealth Falcon malware uses WMI to script data collection and command execution on the victim.[31]

TA505

TA505 has used JavaScript for code execution.[56][57]

TYPEFRAME

TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution.[9]

Ursnif

Ursnif droppers have used VBA macros to download and execute the malware's full executable payload.[22]

WINERACK

WINERACK can create a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows command prompt commands.[6]

Xbash

Xbash can execute malicious JavaScript payloads on the victim’s machine.[27]

Zeus Panda

Zeus Panda can launch remote scripts on the victim’s machine.[23]

Mitigations

Mitigation Description
Code Signing

Where possible, only permit execution of signed scripts.

Disable or Remove Feature or Program

Disable or remove any unnecessary or unused shells or interpreters.

Execution Prevention

Use application whitelisting where appropriate.

Privileged Account Management

When PowerShell is necessary, restrict PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.[1]

Detection

Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.

References

  1. Sutherland, S. (2014, September 9). 15 Ways to Bypass the PowerShell Execution Policy. Retrieved July 23, 2015.
  2. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  3. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  4. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  5. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  6. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  7. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  8. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  9. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  10. FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  11. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  12. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  13. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  14. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  15. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  16. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
  17. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
  18. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  19. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  20. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
  21. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  22. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  23. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  24. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  25. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  26. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  27. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  28. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  29. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  1. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  2. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  3. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  4. Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018.
  5. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  6. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  7. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.
  8. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  9. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  10. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  11. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  12. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  13. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  14. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  15. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  16. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  17. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  18. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  19. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  20. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  21. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
  22. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
  23. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  24. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
  25. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  26. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
  27. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  28. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.