Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.[1][2][3]
ID | Name | Description |
---|---|---|
G0073 | APT19 | |
G0050 | APT32 |
APT32 has used COM scriptlets to download Cobalt Strike beacons.[5] |
G0067 | APT37 | |
G0087 | APT39 |
APT39 has utilized custom scripts to perform internal reconnaissance.[7][8] |
S0234 | Bandook |
Bandook can support commands to execute Java-based payloads.[9] |
S0486 | Bonadan |
Bonadan can create bind and reverse shells on the infected system.[10] |
S0023 | CHOPSTICK |
CHOPSTICK is capable of performing remote command execution.[11][12] |
C0029 | Cutting Edge |
During Cutting Edge, threat actors used Perl scripts to enable the deployment of the THINSPOOL shell script dropper and for enumerating host data.[13][14] |
S0334 | DarkComet |
DarkComet can execute various types of scripts on the victim’s machine.[15] |
S0695 | Donut |
Donut can generate shellcode outputs that execute via Ruby.[16] |
G0035 | Dragonfly | |
S0363 | Empire |
Empire uses a command-line interface to interact with systems.[18] |
G0053 | FIN5 |
FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.[19] |
G0037 | FIN6 |
FIN6 has used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.[20][21] |
G0046 | FIN7 |
FIN7 used SQL scripts to help perform tasks on the victim's machine.[22][23][22] |
S0618 | FIVEHANDS |
FIVEHANDS can receive a command line argument to limit file encryption to specified directories.[24][25] |
G0117 | Fox Kitten |
Fox Kitten has used a Perl reverse shell to communicate with C2.[26] |
S0460 | Get2 |
Get2 has the ability to run executables with command-line arguments.[27] |
S0032 | gh0st RAT |
gh0st RAT is able to open a remote shell to execute commands.[28][29] |
S0434 | Imminent Monitor |
Imminent Monitor has a CommandPromptPacket and ScriptPacket module(s) for creating a remote shell and executing scripts.[30] |
G0004 | Ke3chang |
Malware used by Ke3chang can run commands on the command-line interface.[31][32] |
S0487 | Kessel |
Kessel can create a reverse shell between the infected host and a specified system.[10] |
S0167 | Matryoshka |
Matryoshka is capable of providing Meterpreter shell access.[33] |
G0049 | OilRig |
OilRig has used various types of scripting for execution.[34][35][36][37][38] |
C0005 | Operation Spalax |
For Operation Spalax, the threat actors used Nullsoft Scriptable Install System (NSIS) scripts to install malware.[39] |
S0598 | P.A.S. Webshell |
P.A.S. Webshell has the ability to create reverse shells with Perl scripts.[40] |
S0428 | PoetRAT |
PoetRAT has executed a Lua script through a Lua interpreter for Windows.[41] |
S1110 | SLIGHTPULSE |
SLIGHTPULSE contains functionality to execute arbitrary commands passed to it.[42] |
S0374 | SpeakUp | |
G0038 | Stealth Falcon |
Stealth Falcon malware uses WMI to script data collection and command execution on the victim.[44] |
G0107 | Whitefly |
Whitefly has used a simple remote shell tool that will call back to the C2 server and wait for commands.[45] |
G0124 | Windigo |
Windigo has used a Perl script for information gathering.[10] |
S0219 | WINERACK |
WINERACK can create a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows command prompt commands.[46] |
S0330 | Zeus Panda |
Zeus Panda can launch remote scripts on the victim’s machine.[47] |
ID | Mitigation | Description |
---|---|---|
M1049 | Antivirus/Antimalware |
Anti-virus can be used to automatically quarantine suspicious files. |
M1040 | Behavior Prevention on Endpoint |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic and JavaScript scripts from executing potentially malicious downloaded content [48]. |
M1045 | Code Signing |
Where possible, only permit execution of signed scripts. |
M1042 | Disable or Remove Feature or Program |
Disable or remove any unnecessary or unused shells or interpreters. |
M1038 | Execution Prevention |
Use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., |
M1026 | Privileged Account Management |
When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.[50] PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.[51] |
M1021 | Restrict Web-Based Content |
Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. |
DS0011 | Module | Module Load |
Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll). |
DS0009 | Process | Process Creation |
Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages. |
Process Metadata |
Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the |
||
DS0012 | Script | Script Execution |
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |