Command and Scripting Interpreter: Unix Shell

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken.

Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.

If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.

ID: T1623.001
Sub-technique of:  T1623
Tactic Type: Post-Adversary Device Access
Tactic: Execution
Platforms: Android, iOS
Version: 1.2
Created: 30 March 2022
Last Modified: 07 August 2023

Procedure Examples

ID Name Description
S1061 AbstractEmu

AbstractEmu has included encoded shell scripts to potentially aid in the rooting process.[1]

S0655 BusyGasper

BusyGasper can run shell commands.[2]

S0555 CHEMISTGAMES

CHEMISTGAMES can run bash commands.[3]

S0550 DoubleAgent

DoubleAgent can run arbitrary shell commands.[4]

S0544 HenBox

HenBox can run commands as root.[5]

S1082 Sunbird

Sunbird can try to run arbitrary commands as root.[6]

S0558 Tiktok Pro

Tiktok Pro can execute commands .[7]

Mitigations

ID Mitigation Description
M1002 Attestation

Device attestation can often detect jailbroken or rooted devices.

M1010 Deploy Compromised Device Detection Method

Mobile security products can typically detect jailbroken or rooted devices.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services could detect the invocations of methods that could be used to execute shell commands.[8]

DS0017 Command Command Execution

Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.

DS0009 Process Process Creation

Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.

Process Metadata

Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.

References