Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic Unix Shell that can be accessed via the Android Debug Bridge (ADB) or Java’s Runtime package.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.

ID: T1623
Sub-techniques:  T1623.001
Tactic Type: Post-Adversary Device Access
Tactic: Execution
Platforms: Android, iOS
Version: 1.2
Created: 30 March 2022
Last Modified: 07 August 2023

Procedure Examples

ID Name Description
S1056 TianySpy

TianySpy can steal information via malicious JavaScript.[1]

Mitigations

ID Mitigation Description
M1002 Attestation

Device attestation can often detect jailbroken or rooted devices.

M1010 Deploy Compromised Device Detection Method

Mobile security products can typically detect jailbroken or rooted devices.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services could detect the invocations of methods that could be used to execute shell commands.[2]

DS0017 Command Command Execution

Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.

DS0009 Process Process Creation

Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.

Process Metadata

Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.

References