MITRE ATT&CK T1059 Command Line Interface

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that Command Line Interface was the fifth most prevalent ATT&CK technique used by adversaries in their malware. 

A Command-Line Interface (CLI) offers a way of interacting with local or remote computer systems. Our research has found that Command-Line Interface was the fifth most prevalent ATT&CK technique used by adversaries in their malware. As an execution technique, adversaries use one or more CLI to run their code, interact with local and remote systems, and execute other software during an attack campaign.

Introduction

Operating systems (OS) provide one or more built-in Command Line Interfaces (CLIs) to users. Not only legitimate users but adversaries also frequently use built-in OS CLIs to run their commands since it is easy to detect a third-party program that executes commands.

As an Execution technique, CLI is critical to run adversary-controlled code on a local or remote system. Execution techniques are typically combined with techniques from all other tactics to accomplish specific aims, such as lateral movement and data exfiltration. 

In this article, we review:

  • the fundamentals of the Command-Line Interface technique
  • updates on the technique in the new version of the ATT&CK framework
  • sub-techniques of the new version of the Command-Line Interface technique
  • its use cases by threat actors and malware
  • Red team exercises for this technique

Changes in the New Version of the MITRE ATT&CK Framework

The July 2020 (v7) ATT&CK release is the first non-beta release of Enterprise ATT&CK represented with sub-techniques [1]. MITRE ATT&CK Sub-techniques are a way to describe a specific implementation of a technique in more detail. 

In the new sub-technique version of the MITRE ATT&CK Framework, the name of the Command-Line Interface technique is changed as Command and Scripting Interpreter, and seven sub-techniques are added under this technique:

  • T1086 PowerShell and T1155 AppleScript were existing techniques in the previous version and became sub-techniques in the new version, T1059.001 PowerShell and T1059.002 AppleScript respectively.
  • T1059.003 Windows Command Shell was included in the T1059 Command-Line Interface technique in the previous version and became a sub-technique in the new version.
  • The T1064 Scripting technique in the previous version deprecated and split into separate T1059.004 Unix Shell, T1059.005 Visual Basic, T1059.006 Python, and T1059.007 JavaScript/Jscript sub-techniques of T1059 Command and Scripting Interpreter.

Command and Scripting Interpreter Sub-techniques

In this blog post, the first three sub-techniques will be explained. Since Scripting was the sixth most prevalent ATT&CK technique according to our 10 Critical ATT&CK Technique research, we will describe the remaining four sub-techniques in our Scripting blog post.

 

  • T1059.001 PowerShell

    PowerShell is a powerful interactive command-line shell and scripting language installed by default on Windows operating systems. Since PowerShell has extensive access to Windows internals, system administrators frequently use it to manage and configure the operating system, and automate complex tasks. Not only system administrators but also adversaries have realized the potential in incorporating this powerful tool into their arsenal.

    Before being a sub-technique of the Command and Scripting Interpreter technique, PowerShell was a stand-alone technique. It appeared as the second most frequently used MITRE ATT&CK technique in our Ten Critical ATT&CK techniques search. Click here to read our detailed blog post on the PowerShell technique.

  • T1059.002 AppleScript

    AppleScript is a macOS scripting language that allows users to directly control scriptable macOS applications, as well as parts of macOS itself [2]. Scripts - sets of written instructions - can be created to automate repetitive tasks, integrate features from multiple scriptable applications, and build complex workflows. A scriptable application is an application that can be controlled by a script. For AppleScript, scriptable applications are responsive to inter-application messages, called Apple events. An Apple event can be sent from a script, an application, and macOS.

    Macro malware developers use AppleScript to run their malicious code on Mac systems. For example, the macro code in a macro malware verifies whether WScript.Shell - the Windows Script Shell - is present [3]. If WScript is not detected, the code executes the MacScript function of the VBA. This function executes an AppleScript  script that creates a reverse shell via Python. As another use case of the AppleScript sub-technique, OSX/Dok trojan utilizes AppleScript to create a Login Item [4]. macOS malware uses Login Items for persistence since they can execute applications when the users log on. Moreover, AppleScript is also utilized by the WebTools component of the Bundlore adware to inject malicious JavaScript code into the browser [5].
T1059.003 Windows Command Shell

Adversaries frequently utilize the Windows command shell (also known as cmd.exe), command line, or simply cmd) for execution. Actually, it is an application built into the Windows OS that accepts commands and executes them. Although not as powerful as PowerShell, you can control almost any aspect of a system with the Windows Command Shell. PowerShell has been developed to enhance the abilities of the Command Shell.

The Windows cmd.exe shell can be used to build scripts, and store them in batch files (e.g., .bat or .cmd files) to run multiple commands and automate long and repetitive tasks like user account management or nightly backups.

Adversaries commonly use cmd.exe with the /c parameter such as cmd.exe /c <command>. The /c parameter is used to run the command and then terminate the shell after command completion [6]. Interactive shells may also be created (such as a reverse shell) to run commands and get outputs interactively.

Malware families abuse cmd.exe for different purposes. For example, the WastedLocker ransomware that has recently caused a worldwide outage of services of wearable device maker Garmin [7] uses cmd.exe for:

  • Execute malicious payloads 
  • Creating delays for Virtualization/Sandbox Evasion (MITRE ATT&CK T1497) via Time Based Evasion (MITRE ATT&CK T1497.003) [8]
  • Deleting service executables for Indicator Removal on Host (MITRE ATT&CK T1070) via File Deletion (MITRE ATT&CK T11070.004) [9]
  • Modify file attributes with the attrib command [10]


Red and Blue Team Exercises

 

Red Teaming - How to simulate?

Briefly, the following cmd.exe one-liner gets system information using an obfuscated command.

C:\Users\who>cmd.exe /c ,p"o"wer^s^hell"."ex^e G"e"t"-"Wm^i"O"bje"c"t -Cl"a"s^s win32_ComputerSystem

Domain                                   : WORKGROUP
Manufacturer                       : VMware, Inc.
Model                                     : VMware7,1
Name                                      : BLUEFISH
PrimaryOwnerName         : localadmin
TotalPhysicalMemory       : 2146414592

 

Let’s split and analyze the command:

  • cmd.exe /c: As mentioned above, the /c parameter is used to run the command and then terminate the shell after command completion (MITRE ATT&CK T1059.003 Windows Command Shell) [6].
  • Inserted character for obfuscation (T1406 Obfuscated Files or Information):
    • Comma: The comma (,) character can serve as delimiters and can be used instead of the whitespace character in cmd.exe commands. This feature is used by attacks to obfuscate commands.
    • Carets: The caret (^) is the escape character of cmd.exe and one of the most commonly used characters for obfuscation of cmd.exe commands to evade rigid detection signatures.
    • Double quotes: In this command, double quotes (“) are used to wrap characters, which is equivalent to connecting these characters with others.

After removing the above obfuscation characters, we have the following de-obfuscated command: 

C:\Users\who>cmd.exe /c powershell.exe Get-WmiObject -Class win32_ComputerSystem

 

  • powershell.exe: cmd.exe will run a PowerShell command. (MITRE ATT&CK T1059.001 PowerShell)
  • Get-WmiObject: The PowerShell command uses Get-WmiObject cmdlet that gets information about the available WMI classes (MITRE ATT&CK T1047 Windows Management Instrumentation).
  • Win32_ComputerSystem: This WMI class discovers system information (MITRE ATT&CK T1082 System Information Discovery).

In conclusion, this command incorporates five different ATT&CK techniques.

Blue Teaming - How to detect?

Following Sigma rule can be used to detect gathering system information using Get-WmiObject cmdlet of PowerShell:

title: SystemInformationDiscoveryviaPowerShellCmdlet
status: experimental
description: DetectstheattempttogathersysteminformationusingGet-WmiObjectcmdletofPowerShell.Thistechniqueiscommonlyutilizedfordiscovery.
author: PicusSecurity
references:
- https://attack.mitre.org/techniques/T1047/
- https://attack.mitre.org/techniques/T1086/
- https://attack.mitre.org/techniques/T1082/
- https://attack.mitre.org/tactics/TA0002/
- https://attack.mitre.org/tactics/TA0007/
logsource:
     product: windows
     service: security
     definition1: 'Requirements: Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Detailed Tracking\Audit Process Creation'
    definition2: 'Requirements: Group Policy : Computer Configuration\ Administrative Templates\ System\ Audit Process Creation\ Include Command Line'
detection:
    selection:
        EventID: 4688
        NewProcessName: '*\powershell.exe'
        ProcessCommandLine: '*wmi* *Win32_ComputerSystem*'
    condition: selection
falsepositives:
    - Legitimate administrative activities
level: medium
tags:
    - attack.execution
    - attack.discovery
    - attack.t1047
    - attack.t1086
    - attack.t1082
    - attack.ta0002
    - attack.ta0007

References

[1] “Updates - July 2020.” [Online]. Available: https://attack.mitre.org/resources/updates/updates-july-2020/. [Accessed: 10-Aug-2020]

[2] “Introduction to AppleScript Language Guide,” 25-Jan-2016. [Online]. Available: https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html. [Accessed: 09-Aug-2020]

[3] Y. Grbic, “Macro Malware Targets Macs,” 14-Feb-2017. [Online]. Available: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/. [Accessed: 09-Aug-2020]

[4] “Mac Malware of 2017.” [Online]. Available: https://objective-see.com/blog/blog_0x25.html#Dok. [Accessed: 09-Aug-2020]

[5] O. Sushko, “macOS Bundlore: Mac Virus Bypassing macOS Security Features,” 17-Apr-2019. [Online]. Available: https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis. [Accessed: 09-Aug-2020]

[6] “CMD.exe.” [Online]. Available: https://ss64.com/nt/cmd.html. [Accessed: 10-Aug-2020]

[7] S. Gatlan, “Garmin outage caused by confirmed WastedLocker ransomware attack,” BleepingComputer, 24-Jul-2020. [Online]. Available: https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/. [Accessed: 10-Aug-2020]

[8] “Virtualization/Sandbox Evasion: Time Based Evasion.” [Online]. Available: https://attack.mitre.org/techniques/T1497/003/. [Accessed: 10-Aug-2020]

[9] “Virtualization/Sandbox Evasion: Time Based Evasion.” [Online]. Available: https://attack.mitre.org/techniques/T1497/003/. [Accessed: 10-Aug-2020]

[10] coreyp-at-msft, “attrib.” [Online]. Available: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib. [Accessed: 10-Aug-2020]

[11] Neo23x, “Neo23x0/sigma,” GitHub. [Online]. Available: https://github.com/Neo23x0/sigma. [Accessed: 12-Jul-2020]

10 Critical MITRE ATT&CK Techniques