Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic Unix Shell that can be accessed via the Android Debug Bridge (ADB) or Java’s Runtime package.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.

ID: T1623
Sub-techniques:  T1623.001
Tactic Type: Post-Adversary Device Access
Tactic: Execution
Platforms: Android, iOS
Version: 1.0
Created: 30 March 2022
Last Modified: 06 April 2022


ID Mitigation Description
M1002 Attestation

Device attestation can often detect jailbroken or rooted devices.

M1010 Deploy Compromised Device Detection Method

Mobile security products can typically detect jailbroken or rooted devices.


Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.

Application vetting services could detect the invocations of methods that could be used to execute shell commands.[1]