Command-Line Interface

From ATT&CK
Jump to: navigation, search
Command-Line Interface
Technique
ID T1059
Tactic Execution
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux
Permissions Required User, Administrator, SYSTEM
Data Sources Process command-line parameters, Process monitoring
Supports Remote No

Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.1 One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).

Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.

Examples

  • Malware used by Ke3chang can run commands on the command-line interface.2
  • APT1 has used the Windows command shell to execute commands.3
  • Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.4
  • An APT3 downloader uses the Windows command "cmd.exe" /C whoami.5 The group also uses a tool to execute commands on remote computers.6
  • Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.7
  • Lazarus Group malware uses cmd.exe to execute commands on victims.8
  • Several tools used by Suckfly have been command-line driven.9
  • Patchwork ran a reverse shell with Meterpreter.10
  • TinyZBot supports execution from the command-line.11
  • PlugX allows actors to spawn a reverse shell on a victim.12
  • Derusbi is capable of creating a remote Bash shell and executing commands.13
  • CHOPSTICK is capable of performing remote command execution.1415
  • Adversaries can direct BACKSPACE to execute from the command-line on infected hosts, or have BACKSPACE create a reverse shell.16
  • gh0st RAT is able to open a command shell.17
  • NETEAGLE allows adversaries to execute shell commands on the infected host.16
  • ADVSTORESHELL can create a remote shell and run a given command.15
  • A module in CozyCar allows arbitrary commands to be executed by invoking C:\Windows\System32\cmd.exe.18
  • SeaDuke is capable of executing commands.19
  • 4H RAT has the capability to create a remote shell.20
  • httpclient opens cmd.exe on the victim.20
  • BLACKCOFFEE has the capability to create a reverse shell.21
  • HTTPBrowser is capable of spawning a reverse shell on a victim.12
  • hcdLoader provides command-line access to the compromised system.22
  • Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.23
  • CallMe has the capability to create a reverse shell on victims.24
  • Mivast has the capability to open a remote shell and run basic commands.25
  • Emissary has the capability to create a remote shell and execute specified commands.26
  • Misdat is capable of providing shell functionality to the attacker to execute commands.27
  • Mis-Type uses cmd.exe to run commands for enumerating the host.27
  • ZLib has the ability to execute shell commands.27
  • Hi-Zor has the ability to create a reverse shell.28
  • Kasidet can execute commands using cmd.exe.29
  • cmd is used to execute programs and other actions at the command-line interface.30
  • XTunnel has been used to execute remote commands.14
  • Pisloader uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.31
  • BADNEWS is capable of executing commands via cmd.exe.32
  • H1N1 kills and disables services by using cmd.exe.33
  • PowerDuke runs cmd.exe /c and sends the output to its C2.34

Mitigation

Audit and/or block command-line interpreters by using whitelisting35 tools, like AppLocker,3637 or Software Restriction Policies38 where appropriate.39

Detection

Command-line interface activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.

References

  1. ^  Wikipedia. (2016, June 26). Command-line interface. Retrieved June 27, 2016.
  2. ^  Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  3. ^  Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  4. ^  FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  5. ^  Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  6. ^  Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  7. ^  Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.
  8. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  9. ^  DiMaggio, J.. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
  10. ^  Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  11. ^  Cylance. (2014, December). Operation Cleaver. Retrieved December 4, 2014.
  12. a b  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
  13. ^  Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  14. a b  Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  15. a b  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  16. a b  FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  17. ^  FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  18. ^  F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  19. ^  Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  20. a b  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  1. ^  FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  2. ^  Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
  3. ^  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  4. ^  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  5. ^  Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  6. ^  Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  7. a b c  Gross, J. (2016, February 23). Operation Dust Storm. Retrieved February 25, 2016.
  8. ^  Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  9. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  10. ^  Microsoft. (n.d.). Cmd. Retrieved April 18, 2016.
  11. ^  Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  12. ^  Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  13. ^  Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  14. ^  Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  15. ^  Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  16. ^  Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  17. ^  NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  18. ^  Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  19. ^  Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.