T1059 Command and Scripting Interpreter of the MITRE ATT&CK Framework

Picus Labs analyzes new cybersecurity incidents and malware strains and expands Picus Threat Library continuously. Last year alone, we analyzed millions of TTPs used by adversaries and added thousands of attack simulations to our threat library. Hence, we can comprehensively observe the cyber threat landscape and provide insight into techniques used by adversaries. 

In the Red Report 2023, we shared our findings on the Top Ten Most Prevalent MITRE ATT&CK Techniques used by adversaries. In accordance with The Red Report 2023, we also decided to write a blog series that explains these ATT&CK techniques in detail. This is the first blog of the series where we explained the most used MITRE ATT&CK technique, T1059 Command and Scripting Interpreter.

The Red Report 2024 The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries DOWNLOAD NOW

MITRE ATT&CK T1059 Command and Scripting Interpreter

Command and Scripting Interpreter is an execution technique that adversaries utilize to execute commands, scripts, and binaries on target systems. Attackers frequently use this technique to interact with local and remote systems and execute malicious code on the victim's assets. Due to its direct impact and effectiveness, Command and Scripting Interpreter technique is the most used adversary technique in the MITRE ATT&CK framework and the top-ranked technique in the Red Report 2023.

What is a Command and Scripting Interpreter?

An interpreter is a computer program that directly executes instructions written in a programming or scripting language without compiling them beforehand. Interpreters simplify the code writing process and allow human-readable code to be executed directly. For this reason, attackers prefer using interpreters in their attack campaigns.

T1059 Command and Scripting Interpreter technique can be broken down into the following two segments:

• Command Interpreters or Shells are built-in operating system tools that execute user-specified commands. Well-known command interpreters are: 
• Windows Command Shell
• PowerShell
• Unix Shell
• A script is an ordered sequence of commands written in a scripting language and does not require compiling. Scripting interpreters execute scripts. Some well-known scripting languages are:

Adversary Use of Command and Scripting Interpreters

Legitimate users such as system administrators and programmers use command interpreters to execute arbitrary tasks. They use scripting interpreters to accelerate operational tasks by automating them in scripts.

While command and scripting interpreters are developed for legitimate users, adversaries frequently utilize one or more interpreters to execute malicious code and interact with local and remote systems during attack campaigns. For example, attackers use scripts to enumerate running services and processes, discover system and user information and persist in the victim machine by executing the malicious payload each time a user logs in.

Moreover, some scripting languages interact directly with the OS through an API such as PowerShell and VBScript in Windows systems, Unix shells in Unix-like systems, and AppleScript in macOS. Therefore, adversaries can use them to bypass weak process monitoring mechanisms. They are built-in tools in operating systems, so using them is stealthier than using custom tools.

Subtechnique 1: T1059.001 PowerShell

PowerShell is an interactive command-line shell and scripting language that is included in Windows operating systems by default. System administrators frequently use PowerShell to manage the operating system and automate complex tasks due to its extensive access to the internals of Windows. Adversaries have also recognized the value of such a significant weapon in their repository.

PowerShell was a stand-alone technique before the MITRE ATT&CK framework update now; it is a sub-technique under  Command and Scripting Interpreter technique [1]. In the Picus Red Report 2020, it was ranked as the second most frequently used MITRE ATT&CK technique [2].

Adversary Use of PowerShell

It is simple to detect a third-party program that is used to execute malicious commands on the Windows operating system. As a result, adversaries usually execute commands by abusing built-in Windows command-line and scripting tools rather than third-party programs to evade detection. 

PowerShell is one of the utilities that attackers use to develop fileless malware that runs entirely in memory and leaves no traces on the disk. Adversaries can conduct sophisticated malicious activities with PowerShell due to its broad access to the operating system's internals. Additionally, attackers abuse PowerShell for maintaining persistence, discovering information, collecting and exfiltrating data, and lateral movement.

In the MITRE ATT&CK Framework, Command and Scripting Interpreter technique is categorized only in the Execution tactic. However, its sub-techniques, especially PowerShell, are also used to achieve the Defense Evasion tactic. Adversaries evade defenses with PowerShell by:

• disabling Windows Defender
• bypassing Antimalware Scan Interface (AMSI)
• downloading and running malware payloads in memory
• executing sophisticated codes without installing extra software
• disabling Script Block Logging to prevent detection
• injecting malicious code into legitimate processes 
• manipulating access tokens 

Publicly Available PowerShell Tools Utilized by Threat Actors

The extensive capabilities of PowerShell have piqued the interest of red teams and penetration testers. As a result, powerful red team and penetration testing frameworks and tools have been developed using PowerShell, such as Empire (PowerShell Empire) [3], PowerSploit [4], Nishang [5], PoschC2 [6], and Posh-SecMod [7].
All of these tools are open-source and publicly available. Although these tools are developed for use by red teams and penetration testers, threat actors frequently leverage them in cyber attack campaigns.
The table given below demonstrates some use cases of these PowerShell post-exploitation frameworks by threat actors:

 Subtechnique 2: T1059.002 AppleScript

AppleScript is a scripting language for macOS  used to control programs and components of the operating system via inter-application messages known as AppleEvents. Adversaries can use these events to interact with practically any application running locally or remotely, such as locating open windows and transmitting keystrokes.

Adversary Use of AppleScript

Adversaries use AppleScript to perform various tasks, including interacting with an open SSH connection, moving to remote machines, and even presenting users with bogus dialog boxes.  These events cannot remotely start applications, but they can interact with applications already running remotely. AppleScript is capable of executing Native APIs on macOS 10.10 Yosemite and later.

Since it is a scripting language, AppleScript can also be used to execute more conventional techniques, such as a reverse shell via Python. For example, macro malware developers use AppleScript to run their malicious code on Mac systems. The macro code in a macro malware checks whether WScript.Shell, the Windows Script Shell,  is present [21]. If WScript is not present, the code executes the MacScript function of the VBA. This function runs an AppleScript script that spawns a reverse shell via Python. As another use case of the AppleScript sub-technique, trojan utilizes AppleScript to create a Login Item [22]. macOS malware uses Login Items for persistence since they can execute applications when the users log on. Moreover, AppleScript is also utilized by the WebTools component of the Bundlore adware to inject malicious JavaScript code into the browser [23].

Subtechnique 3: T1059.003 Windows Command Shell

Adversaries usually execute commands via the Windows Command Shell (a.k.a. cmd.exe or just cmd). Although it is not as powerful as PowerShell, the Windows Command Shell allows you to control almost any aspect of a system. 

The Windows cmd.exe shell can be used to create scripts and store them in batch files (e.g.,.bat or .cmd files) that can be used to execute multiple commands and automate time-consuming and repetitive operations such as user account management or nightly backups.

Adversary Use of Windows Command Shell

Adversaries frequently execute cmd.exe with the /c argument, for example, “cmd.exe /c <command>. The /c parameter is used to terminate the shell after command completion [24]. Interactive shells may also be spawned (such as a reverse shell) to execute commands and get outputs interactively.

Malware strains utilize cmd.exe for different purposes. For example, the WastedLocker ransomware that has caused a worldwide outage of services of wearable device maker Garmin [25] uses cmd.exe for:

• Execute malicious payloads
• Creating delays for virtualization evasion 
• (MITRE ATT&CK T1497.003: Virtualization/Sandbox Evasion: Time Based Evasion) [26]
• Deleting service binaries for Indicator Removal on Host via File Deletion
• (MITRE ATT&CK T11070.004 Indicator Removal on Host: File Deletion) [27]
• Modify file attributes with the attrib command [28]

Subtechnique 4: T1059.004 Unix Shell

The Unix shell is a command-line interpreter that offers a command-line interface for Unix-like operating systems, including Linux, BSD, macOS. The most frequently used Unix shells are the Bourne Shell (sh), Bourne-Again Shell (bash), Z Shell (zsh), Korn Shell (ksh), and Secure Shell (SSH). 

Along with an interactive CLI, the Unix shell includes a scripting language for controlling the OS's execution via shell scripts. A shell script is a collection of commands that are executed in the specified order. The Unix shell has complete control over the entire system and supports standard programming concepts such as variables, loops, functions, conditional tests, and file actions.

Adversary Use of Unix Shell

Unix shells are capable and flexible utilities for executing commands and controlling systems. Thus, adversaries abuse them to execute malicious commands and payloads. The following are some examples of how Unix shells are used in malware:

• Controlling remote systems with SSH during the lateral movement and command and control (C2) phases.
• Executing multiple commands on victims, e.g., macOS Bundlore adware [23], Derusbi malware [29], and Linux/Exaramel backdoor [30].
• Creating a reverse shell, e.g. CallMe OSX Trojan [31], Chaos backdoor [32], Cointicker macOS cryptocurrency ticker [33].
• Starting/stopping OS services and installed applications, e.g. LoudMiner cross-platform cryptocurrency miner [34], WindTail OSX backdoor [35].
• Downloading additional payloads, e.g. Shlayer macOS malware [35], [36], Skidmap cryptocurrency miner [37].

Subtechnique 5: T1059.005 Visual Basic

Visual Basic (VB) is a programming language derived from BASIC and created by Microsoft. VB can interoperate with the Component Object Model (COM) and the Native API. Since both COM and Native API offer mechanisms to use various components of a system, adversaries use them for local code execution.

Adversary Use of Visual Basic

Adversaries use Visual Basic for execution because of its interoperability with Windows technologies. In addition to Visual Basic language, attackers also use the following derivative languages of Visual Basic for use in scripting:

• Visual Basic for Applications (VBA): VBA is a Visual Basic implementation that enables process automation, access to the Windows APIs, and other low-level features via DLLs. It is featured in the majority of Office Software, including those for macOS. As an example, adversaries place their malicious code in VBA macros embedded in Microsoft Office files and then deliver these malicious files to victims via email attachments (MITRE ATT&CK T166.001 Spearphishing Attachment). 
• Microsoft Visual Basic Scripting Edition (VBScript): VBScript is a Visual Basic derivative that enables the user to control many parts of the system through the use of Component Object Model (COM). Although VBScript was first targeted at web developers by offering web client scripting in Internet Explorer and web server scripting in IIS, it quickly gained acceptance from Windows system administrators and adversaries because of its extensive functionality.  For instance, in a malware campaign disclosed in March 2020, an encoded VBScript package was used to drop Zloader, Ursnif, Qakbot, and Dridex [38]. The initial access vector is an email containing a zip file containing a VBScript script (.vbs) that looks like an invoice.

Subtechnique 6: T1059.006 Python

Adversaries also use scripting interpreters that are not built-in in the operating systems, such as Python. Python is a popular high-level interpreted scripting language. Python interpreters are cross-platform, meaning that they are available for multiple operating systems. Python also has a comprehensive standard library that can perform many functions. So, adversaries also use Python for malicious purposes.

Adversary Use of Python

Python can be executed in multiple ways, such as interactively from the command-line interface (CLI), via Python scripts (.py), or via binary executables created by compilation of Python code.

Python interpreters are cross-platform, and it has a comprehensive standard library that can perform many functions. Because of these features, adversaries use Python to:

• execute commands
• create vulnerability exploitation tools
• download malicious payloads
• perform various malicious behaviors

Let's take PoetRAT, a Python-based Remote Access Trojan, as an example [39]. Briefly, it drops a ZIP file and unzips it using a Word document that contains a VBA script. Then, the VBA script executes the PoetRAT after unzipping. Since PoetRAT is a Python script and Windows does not have a Python interpreter by default, the dropped zip file also contains a Python interpreter for the execution of the malware.

Subtechnique 7: T1059.007 JavaScript

JavaScript (JS) is a high-level, multi-paradigm programming language that supports event-driven, functional, and imperative programming styles. JavaScript is compliant with ECMAScript specification, which is a standard for the interoperability of Web pages across different browsers. In fact, ECMAScript is the official name of the JavaScript language.

Adversary Use of JavaScript

Jscript is Microsoft's implementation of the ECMAScript Edition 3 language specification [40]. It is another example of interpreted scripting languages. In most cases, adversaries utilize JScript to develop droppers/downloaders to install/download the actual malware [41], [42]. They rely on  heavy obfuscation of .js files that can evade static AV signatures [41], [42]. In some cases, adversaries use JScript and VBA together in their operations like TrickBot [43].

Subtechnique 8: T1059.008 Network Device CLI

Some network devices provide built-in Command Line Interpreters (CLIs). Network administrators use these CLIs on network devices to interact with the device for different purposes, such as viewing system information, modifying device configuration, and performing diagnostics. Adversaries abuse Network Device CLIs to change the behavior of these devices.

Network Device CLI is the newest sub-technique of the Command and Scripting technique and added in October 2020 with release of MITRE ATT&CK framework version 8.

Adversary Use of Network Device CLI

Adversaries abuse Command-Line Interfaces of network devices to change the behavior of these devices for:

• manipulating traffic flows

• loading malicious firmware

• disabling security features or logging

For example, two new malware samples were identified in 2013, both targeting the Cisco network devices [44]. Adversaries leveraged compromised administrator credentials to modify the Cisco IOS code's in-memory copy, using Cisco IOS command-line interface (CLI) commands. The added code exfiltrated IPv4 packets that matched the criteria set by the attacker. The targeted traffic is copied, and those packets are then forwarded to the Command and Control server of the attacker.

References

[1] “Updates - July 2020.” https://attack.mitre.org/resources/updates/updates-july-2020/.

[2] “The Red Report 2020.” https://www.picussecurity.com/picus-the-red-report.

[3] EmpireProject, “GitHub - EmpireProject/Empire: Empire is a PowerShell and Python post-exploitation agent.” https://github.com/EmpireProject/Empire.

[4] PowerShellMafia, “GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation Framework.” https://github.com/PowerShellMafia/PowerSploit.

[5] samratashok, “GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security.” https://github.com/samratashok/nishang.

[6] nettitude, “GitHub - nettitude/PoshC2: A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.” https://github.com/nettitude/PoshC2.

[7] darkoperator, “GitHub - darkoperator/Posh-SecMod: PowerShell Module with Security cmdlets for security work.” https://github.com/darkoperator/Posh-SecMod.

[8] “Publicly Available Tools Seen in Cyber Incidents Worldwide | CISA.” https://www.us-cert.gov/ncas/alerts/AA18-284A#Lateral%20Movement%20Framework:%20PowerShell%20Empire.

[9] https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf.

[10] GReAT, “Olympic Destroyer is still alive.” https://securelist.com/olympic-destroyer-is-still-alive/86169/.

[11] Y. Namestnikov and F. Aime, “FIN7.5: the infamous cybercrime rig ‘FIN7’ continues its activities.” https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/.

[12] https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf.

[13] T. Micro, “MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools - TrendLabs Security Intelligence Blog,” 10-Jun-2019. https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/.

[14] ESET, “A dive into Turla PowerShell usage.” https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/.

[15] A. Dahan, “Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group.” https://www.cybereason.com/blog/operation-cobalt-kitty-apt.

[16] R. Falcone and T. Lancaster, “Emissary Panda Attacks Middle East Government SharePoint Servers,” Unit42, 28-May-2019. https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/.

[17] G. Ackerman, “OVERRULED: Containing a Potentially Destructive Adversary,” FireEye. https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html.

[18] “[Report] Double Dragon: APT41, a Dual Espionage and Cyber Crime Operation,” FireEye. content.fireeye.com.

[19] https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf.

[20] Dex, “WIRTE Group attacking the Middle East,” 02-Apr-2019. https://lab52.io/blog/wirte-group-attacking-the-middle-east/.

[21] Y. Grbic, “Macro Malware Targets Macs,” 14-Feb-2017. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/.

[22] “Mac Malware of 2017.” https://objective-see.com/blog/blog_0x25.html#Dok.

[23] O. Sushko, “macOS Bundlore: Mac Virus Bypassing macOS Security Features,” 17-Apr-2019. https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis.

[24] “CMD.exe.” https://ss64.com/nt/cmd.html.

[25] S. Gatlan, “Garmin outage caused by confirmed WastedLocker ransomware attack,” BleepingComputer, 24-Jul-2020. https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/.

[26] “Virtualization/Sandbox Evasion: Time Based Evasion.” https://attack.mitre.org/techniques/T1497/003/.

[27] “Indicator Removal on Host: File Deletion.” https://attack.mitre.org/techniques/T1070/004/.

[28] coreyp-at-msft, “attrib.” https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib.

[29] https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf.

[30] “New TeleBots backdoor: First evidence linking Industroyer to NotPetya,” 11-Oct-2018. https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/.

[31] R. Falcone and J. Miller-Osborn, “Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists,” 24-Jan-2016. https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/.

[32] S. Feldmann, “Chaos: a Stolen Backdoor Rising Again,” 14-Feb-2018. https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/.

[33] T. Reed, “Mac cryptocurrency ticker app installs backdoors,” 29-Oct-2018. https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/.

[34] “LoudMiner: Cross‑platform mining in cracked VST software,” 20-Jun-2019. https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/.

[35] “Middle East Cyber-Espionage.” https://objective-see.com/blog/blog_0x3B.html.

[36] “TAU Threat Intelligence Notification: New macOS Malware Variant of Shlayer (OSX) Discovered,” 12-Feb-2019. https://www.carbonblack.com/blog/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/.

[37] T. Micro, “Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload,” 16-Sep-2019. https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/.

[38] blubracket, “Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex - Security Boulevard,” 24-Jun-2020. https://securityboulevard.com/2020/06/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex/.

[39] W. Mercer, “PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors.” http://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html.

[40] “JScript (ECMAScript3).” https://docs.microsoft.com/en-us/previous-versions/hbxc2t98(v=vs.85).

[41] “Undetected JScript Dropper Installs Sage Ransomware,” 20-Apr-2017. https://www.vmray.com/cyber-security-blog/undetected-jscript-dropper-executes-sage-ransomware/.

[42] https://file.gdatasoftware.com/web/en/documents/whitepaper/G_DATA_Analysis_Script.Trojan-Downloader.Fodevepdf.A.pdf.

[43] “Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader,” 03-Sep-2019. https://threatresearch.ext.hp.com/deobfuscating-ostap-trickbots-javascript-downloader/.

[44] G. Holmes, “Evolution of attacks on Cisco IOS devices,” 08-Oct-2015. https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices.