Command-Line Interface

From enterprise
Jump to: navigation, search
Command-Line Interface
Technique
ID T1059
Tactic Execution
Platform Linux, macOS, Windows
Permissions Required User, Administrator, SYSTEM
Data Sources Process command-line parameters, Process monitoring
Supports Remote No

Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.1 One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).

Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.

Examples

  • APT1 has used the Windows command shell to execute commands.2
  • An APT3 downloader uses the Windows command "cmd.exe" /C whoami.3 The group also uses a tool to execute commands on remote computers.4
  • APT34 has used the command-line interface for execution.56
  • APT37 has used the command-line interface.7
  • BRONZE BUTLER uses the command-line interface.8
  • FIN8 executes commands remotely via cmd.exe.9
  • Malware used by Ke3chang can run commands on the command-line interface.10
  • Lazarus Group malware uses cmd.exe to execute commands on victims.1112
  • Leviathan uses a backdoor known as BADFLICK that is is capable of generating a reverse shell.13
  • Magic Hound has used the command-line interface.14
  • OilRig has used a command-line interface for execution.15
  • Patchwork ran a reverse shell with Meterpreter.16
  • Sowbug has used command line during its intrusions.17
  • Several tools used by Suckfly have been command-line driven.18
  • Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.19
  • Threat Group-3390 has used command-line interfaces for execution.20
  • Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.21
  • menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.222324
  • 4H RAT has the capability to create a remote shell.25
  • ADVSTORESHELL can create a remote shell and run a given command.2627
  • Adversaries can direct BACKSPACE to execute from the command-line on infected hosts, or have BACKSPACE create a reverse shell.28
  • BADNEWS is capable of executing commands via cmd.exe.29
  • BLACKCOFFEE has the capability to create a reverse shell.30
  • CHOPSTICK is capable of performing remote command execution.3126
  • CallMe has the capability to create a reverse shell on victims.32
  • Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.33
  • China Chopper is capable of opening a command terminal.20
  • Cobalt Strike uses a command-line interface to interact with systems.34
  • A module in CozyCar allows arbitrary commands to be executed by invoking C:\Windows\System32\cmd.exe.35
  • creates a backdoor through which remote attackers can open a command-line interface.36
  • Daserf can execute shell commands.378
  • Derusbi is capable of creating a remote Bash shell and executing commands.3813
  • Dipsind can spawn remote shells.39
  • DownPaper uses the command line.40
  • Emissary has the capability to create a remote shell and execute specified commands.41
  • Felismus uses command line for execution.42
  • H1N1 kills and disables services by using cmd.exe.43
  • HOMEFRY uses a command-line interface.13
  • HTTPBrowser is capable of spawning a reverse shell on a victim.44
  • Helminth can provide a remote shell.45
  • Hi-Zor has the ability to create a reverse shell.46
  • JPIN can use the command-line utility cacls.exe to change file permissions.39
  • KOMPROGO is capable of creating a reverse shell.47
  • Kasidet can execute commands using cmd.exe.48
  • creates a backdoor through which remote attackers can start a remote shell.49
  • MURKYTOP uses the command-line interface.13
  • Matroyshka is capable of providing Meterpreter shell access.50
  • Mis-Type uses cmd.exe to run commands for enumerating the host.51
  • Misdat is capable of providing shell functionality to the attacker to execute commands.51
  • Mivast has the capability to open a remote shell and run basic commands.52
  • ... further results

Mitigation

Audit and/or block command-line interpreters by using whitelisting53 tools, like AppLocker,5455 or Software Restriction Policies56 where appropriate.57

Detection

Command-line interface activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.

References

  1. ^  Wikipedia. (2016, June 26). Command-line interface. Retrieved June 27, 2016.
  2. ^  Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  3. ^  Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  4. ^  Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  5. ^  Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  6. ^  Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  7. ^  FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  8. a b  Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  9. ^  Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  10. ^  Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  11. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  12. ^  Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  13. a b c d  FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  14. ^  Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  15. ^  Unit 42. (2017, December 15). Unit 42 Playbook Viewer - OilRig. Retrieved December 20, 2017.
  16. ^  Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  17. ^  Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  18. ^  DiMaggio, J.. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
  19. ^  Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.
  20. a b  Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  21. ^  FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  22. ^  PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  23. ^  PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  24. ^  Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
  25. ^  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  26. a b  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  27. ^  Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  28. ^  FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  29. ^  Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  1. ^  FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  2. ^  Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  3. ^  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  4. ^  Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.
  5. ^  Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  6. ^  F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  7. ^  Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  8. ^  Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  9. ^  Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  10. a b  Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  11. ^  ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  12. ^  Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  13. ^  Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  14. ^  Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  15. ^  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
  16. ^  Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  17. ^  Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  18. ^  Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  19. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  20. ^  Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  21. ^  ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  22. a b  Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  23. ^  Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  24. ^  Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  25. ^  Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  26. ^  NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  27. ^  Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  28. ^  Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.