Double Your Threat Blocking in 90 Days
Huseyin Can YUCEEL & Picus Labs | February 17, 2022
The Top 10 MITRE ATT&CK Techniques Used by Adversaries
Picus Labs analyzes new cybersecurity incidents and malware strains and expands Picus Threat Library continuously. Last year alone, we analyzed millions of TTPs used by adversaries and added thousands of attack simulations to our threat library. Hence, we can comprehensively observe the cyber threat landscape and provide insight into techniques used by adversaries.
In the Red Report 2023, we shared our findings on the Top Ten Most Prevalent MITRE ATT&CK Techniques used by adversaries. In accordance with The Red Report 2023, we also decided to write a blog series that explains these ATT&CK techniques in detail. This is the first blog of the series where we explained the most used MITRE ATT&CK technique, T1059 Command and Scripting Interpreter.
The Red Report 2023
Command and Scripting Interpreter is an execution technique that adversaries utilize to execute commands, scripts, and binaries on target systems. Attackers frequently use this technique to interact with local and remote systems and execute malicious code on the victim's assets. Due to its direct impact and effectiveness, Command and Scripting Interpreter technique is the most used adversary technique in the MITRE ATT&CK framework and the top-ranked technique in the Red Report 2023.
An interpreter is a computer program that directly executes instructions written in a programming or scripting language without compiling them beforehand. Interpreters simplify the code writing process and allow human-readable code to be executed directly. For this reason, attackers prefer using interpreters in their attack campaigns.
T1059 Command and Scripting Interpreter technique can be broken down into the following two segments:
Legitimate users such as system administrators and programmers use command interpreters to execute arbitrary tasks. They use scripting interpreters to accelerate operational tasks by automating them in scripts.
While command and scripting interpreters are developed for legitimate users, adversaries frequently utilize one or more interpreters to execute malicious code and interact with local and remote systems during attack campaigns. For example, attackers use scripts to enumerate running services and processes, discover system and user information and persist in the victim machine by executing the malicious payload each time a user logs in.
Moreover, some scripting languages interact directly with the OS through an API such as PowerShell and VBScript in Windows systems, Unix shells in Unix-like systems, and AppleScript in macOS. Therefore, adversaries can use them to bypass weak process monitoring mechanisms. They are built-in tools in operating systems, so using them is stealthier than using custom tools.
PowerShell is an interactive command-line shell and scripting language that is included in Windows operating systems by default. System administrators frequently use PowerShell to manage the operating system and automate complex tasks due to its extensive access to the internals of Windows. Adversaries have also recognized the value of such a significant weapon in their repository.
PowerShell was a stand-alone technique before the MITRE ATT&CK framework update now; it is a sub-technique under Command and Scripting Interpreter technique . In the Picus Red Report 2020, it was ranked as the second most frequently used MITRE ATT&CK technique .
It is simple to detect a third-party program that is used to execute malicious commands on the Windows operating system. As a result, adversaries usually execute commands by abusing built-in Windows command-line and scripting tools rather than third-party programs to evade detection.
PowerShell is one of the utilities that attackers use to develop fileless malware that runs entirely in memory and leaves no traces on the disk. Adversaries can conduct sophisticated malicious activities with PowerShell due to its broad access to the operating system's internals. Additionally, attackers abuse PowerShell for maintaining persistence, discovering information, collecting and exfiltrating data, and lateral movement.
In the MITRE ATT&CK Framework, Command and Scripting Interpreter technique is categorized only in the Execution tactic. However, its sub-techniques, especially PowerShell, are also used to achieve the Defense Evasion tactic. Adversaries evade defenses with PowerShell by:
The extensive capabilities of PowerShell have piqued the interest of red teams and penetration testers. As a result, powerful red team and penetration testing frameworks and tools have been developed using PowerShell, such as Empire (PowerShell Empire) , PowerSploit , Nishang , PoschC2 , and Posh-SecMod .
All of these tools are open-source and publicly available. Although these tools are developed for use by red teams and penetration testers, threat actors frequently leverage them in cyber attack campaigns.
The table given below demonstrates some use cases of these PowerShell post-exploitation frameworks by threat actors:
Empire (PowerShell Empire) 
APT 19 , CopyKittens , Hades , FIN7 , FIN10 , MuddyWater , Turla 
APT32 , TG-3390 
APT32 , APT33 , APT41 , menuPass , MuddyWater , Turla , WIRTE 
Subtechnique 2: T1059.002 AppleScript
AppleScript is a scripting language for macOS used to control programs and components of the operating system via inter-application messages known as AppleEvents. Adversaries can use these events to interact with practically any application running locally or remotely, such as locating open windows and transmitting keystrokes.
Adversaries use AppleScript to perform various tasks, including interacting with an open SSH connection, moving to remote machines, and even presenting users with bogus dialog boxes. These events cannot remotely start applications, but they can interact with applications already running remotely. AppleScript is capable of executing Native APIs on macOS 10.10 Yosemite and later.
Adversaries usually execute commands via the Windows Command Shell (a.k.a. cmd.exe or just cmd). Although it is not as powerful as PowerShell, the Windows Command Shell allows you to control almost any aspect of a system.
The Windows cmd.exe shell can be used to create scripts and store them in batch files (e.g.,.bat or .cmd files) that can be used to execute multiple commands and automate time-consuming and repetitive operations such as user account management or nightly backups.
Adversaries frequently execute cmd.exe with the /c argument, for example, “cmd.exe /c <command>. The /c parameter is used to terminate the shell after command completion . Interactive shells may also be spawned (such as a reverse shell) to execute commands and get outputs interactively.
Malware strains utilize cmd.exe for different purposes. For example, the WastedLocker ransomware that has caused a worldwide outage of services of wearable device maker Garmin  uses cmd.exe for:
The Unix shell is a command-line interpreter that offers a command-line interface for Unix-like operating systems, including Linux, BSD, macOS. The most frequently used Unix shells are the Bourne Shell (sh), Bourne-Again Shell (bash), Z Shell (zsh), Korn Shell (ksh), and Secure Shell (SSH).
Along with an interactive CLI, the Unix shell includes a scripting language for controlling the OS's execution via shell scripts. A shell script is a collection of commands that are executed in the specified order. The Unix shell has complete control over the entire system and supports standard programming concepts such as variables, loops, functions, conditional tests, and file actions.
Unix shells are capable and flexible utilities for executing commands and controlling systems. Thus, adversaries abuse them to execute malicious commands and payloads. The following are some examples of how Unix shells are used in malware:
Visual Basic (VB) is a programming language derived from BASIC and created by Microsoft. VB can interoperate with the Component Object Model (COM) and the Native API. Since both COM and Native API offer mechanisms to use various components of a system, adversaries use them for local code execution.
Adversaries use Visual Basic for execution because of its interoperability with Windows technologies. In addition to Visual Basic language, attackers also use the following derivative languages of Visual Basic for use in scripting:
Adversaries also use scripting interpreters that are not built-in in the operating systems, such as Python. Python is a popular high-level interpreted scripting language. Python interpreters are cross-platform, meaning that they are available for multiple operating systems. Python also has a comprehensive standard library that can perform many functions. So, adversaries also use Python for malicious purposes.
Python can be executed in multiple ways, such as interactively from the command-line interface (CLI), via Python scripts (.py), or via binary executables created by compilation of Python code.
Python interpreters are cross-platform, and it has a comprehensive standard library that can perform many functions. Because of these features, adversaries use Python to:
Let's take PoetRAT, a Python-based Remote Access Trojan, as an example . Briefly, it drops a ZIP file and unzips it using a Word document that contains a VBA script. Then, the VBA script executes the PoetRAT after unzipping. Since PoetRAT is a Python script and Windows does not have a Python interpreter by default, the dropped zip file also contains a Python interpreter for the execution of the malware.
Jscript is Microsoft's implementation of the ECMAScript Edition 3 language specification . It is another example of interpreted scripting languages. In most cases, adversaries utilize JScript to develop droppers/downloaders to install/download the actual malware , . They rely on heavy obfuscation of .js files that can evade static AV signatures , . In some cases, adversaries use JScript and VBA together in their operations like TrickBot .
Some network devices provide built-in Command Line Interpreters (CLIs). Network administrators use these CLIs on network devices to interact with the device for different purposes, such as viewing system information, modifying device configuration, and performing diagnostics. Adversaries abuse Network Device CLIs to change the behavior of these devices.
Network Device CLI is the newest sub-technique of the Command and Scripting technique and added in October 2020 with release of MITRE ATT&CK framework version 8.
Adversaries abuse Command-Line Interfaces of network devices to change the behavior of these devices for:
manipulating traffic flows
loading malicious firmware
disabling security features or logging
For example, two new malware samples were identified in 2013, both targeting the Cisco network devices . Adversaries leveraged compromised administrator credentials to modify the Cisco IOS code's in-memory copy, using Cisco IOS command-line interface (CLI) commands. The added code exfiltrated IPv4 packets that matched the criteria set by the attacker. The targeted traffic is copied, and those packets are then forwarded to the Command and Control server of the attacker.
 “Updates - July 2020.” https://attack.mitre.org/resources/updates/updates-july-2020/.
 “The Red Report 2020.” https://www.picussecurity.com/picus-the-red-report.
 “Publicly Available Tools Seen in Cyber Incidents Worldwide | CISA.” https://www.us-cert.gov/ncas/alerts/AA18-284A#Lateral%20Movement%20Framework:%20PowerShell%20Empire.
 GReAT, “Olympic Destroyer is still alive.” https://securelist.com/olympic-destroyer-is-still-alive/86169/.
 Y. Namestnikov and F. Aime, “FIN7.5: the infamous cybercrime rig ‘FIN7’ continues its activities.” https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/.
 T. Micro, “MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools - TrendLabs Security Intelligence Blog,” 10-Jun-2019. https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/.
 ESET, “A dive into Turla PowerShell usage.” https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/.
 A. Dahan, “Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group.” https://www.cybereason.com/blog/operation-cobalt-kitty-apt.
 R. Falcone and T. Lancaster, “Emissary Panda Attacks Middle East Government SharePoint Servers,” Unit42, 28-May-2019. https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/.
 G. Ackerman, “OVERRULED: Containing a Potentially Destructive Adversary,” FireEye. https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html.
 Dex, “WIRTE Group attacking the Middle East,” 02-Apr-2019. https://lab52.io/blog/wirte-group-attacking-the-middle-east/.
 Y. Grbic, “Macro Malware Targets Macs,” 14-Feb-2017. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/.
 O. Sushko, “macOS Bundlore: Mac Virus Bypassing macOS Security Features,” 17-Apr-2019. https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis.
 S. Gatlan, “Garmin outage caused by confirmed WastedLocker ransomware attack,” BleepingComputer, 24-Jul-2020. https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/.
 coreyp-at-msft, “attrib.” https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib.
 “New TeleBots backdoor: First evidence linking Industroyer to NotPetya,” 11-Oct-2018. https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/.
 R. Falcone and J. Miller-Osborn, “Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists,” 24-Jan-2016. https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/.
 S. Feldmann, “Chaos: a Stolen Backdoor Rising Again,” 14-Feb-2018. https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/.
 T. Reed, “Mac cryptocurrency ticker app installs backdoors,” 29-Oct-2018. https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/.
 “LoudMiner: Cross‑platform mining in cracked VST software,” 20-Jun-2019. https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/.
 “TAU Threat Intelligence Notification: New macOS Malware Variant of Shlayer (OSX) Discovered,” 12-Feb-2019. https://www.carbonblack.com/blog/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/.
 T. Micro, “Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload,” 16-Sep-2019. https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/.
 blubracket, “Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex - Security Boulevard,” 24-Jun-2020. https://securityboulevard.com/2020/06/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex/.
 W. Mercer, “PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors.” http://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html.
 “JScript (ECMAScript3).” https://docs.microsoft.com/en-us/previous-versions/hbxc2t98(v=vs.85).
 “Undetected JScript Dropper Installs Sage Ransomware,” 20-Apr-2017. https://www.vmray.com/cyber-security-blog/undetected-jscript-dropper-executes-sage-ransomware/.
 G. Holmes, “Evolution of attacks on Cisco IOS devices,” 08-Oct-2015. https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices.