MITRE ATT&CK – T1059: Command and Scripting Interpreter
By Austin Miller
And we’ve done it! Number one in the Red Report breakdown of the top 10 MITRE ATT&CK tactics from 2021 – command and scripting interpreter attacks. After a long and storied breakdown of each tactic and how the adversary uses it, you’re probably wanting to catch up on how the adversary approaches an attack. For anyone who wants a refresher or joined late…
Present in 53,582 individual samples – 26% of the entire library of samples collected by Picus – command and scripting interpreter tactics are extremely common. Looking at some of the most infamous malware examples that have terrorized security professionals, we can see this tactic used over and over again. Scrolling through the procedure examples on the MITRE ATT&CK T1059 page is enough to make any security professionals queasy – Cobalt Strike, Conti, DarkComet, the Lazarus Group, and REvil among a cadre of other malicious actors.
What are Command and Scripting Interpreter tactics?
Any time that the adversary uses commands, scripts, or binaries to attack a victim, we are looking at command and scripting interpreter tactics. By using legitimate interpreters on a system, the adversary uses yet another example of Living off the Land (LotL) attacks to run code, move lateraly, and execute software during an attack.
Interpreters directly execute code without compiling them, allowing threat actors to run instructions more easily. The way the adversary does this can depend on the type of interpreter that they use:
- Command interpreters such as the Windows Command Shell, PowerShell, or Unix Shell all take commands that are inputted by the user or are already present in the system. These commands are processed one-by-one. Command interpreters are also built into some programming languages like Python, Perl, and Ruby.
Of course, that’s a vastly oversimplified explanation of interpreters. For a full exploration of how interpreters work and are exploited by the adversary, check out the full Red Report here (page 12).
How does the adversary use command and scripting interpreters?
Because various operating systems (OS) use various command and scripting interpreters (with considerable overlap), the adversary has multiple ways to use built-in tools to exploit the victim. This means that the problem is going to find you and your network no matter how obscure the OS that your organization relies on is. Understanding the various ways threat actors exploit them is necessary to stopping them in their tracks.
T1059.001 – PowerShell
Although PowerShell was once recognized as an offensive technique of its own back in the day (formerly listed as T1086 – PowerShell), it is now understood as a sub-technique within the broader command and scripting interpreter technique. The use of PowerShell is especially common due to the ubiquity of Windows machines that are used in Western enterprises today.
With PowerShell, the adversary can use a variety of Windows command line and scripting tools to create fileless malware that runs in memory, access OS internals, attain persistence through continuously loading a script to memory, laterally move, discover, collect, and exfiltrate data. Because there is a great overlap in the functionality of PowerShell and other tactics/techniques that the adversary uses, you may also notice the following attack types that rely on the use of PowerShell, including:
- Downloading payloads to execute on a target system
- Executing code without downloading easily detectable software
- Antimalware detection and/or Windows Defender evasion
- Automatically blocking security events
- Injecting code
- Impersonating user logon tokens
Because PowerShell is an extremely powerful offensive utility (not least because it is already available on all Windows systems), it is a necessary part of the red teamer toolkit as well as the adversarial arsenal. Because of that, we have seen a number of frameworks and tools that are built around PowerShell, including:
- PowerShell Empire
T1059.002 – AppleScript
Apple users, you’re not safe either. As expected, AppleScript is used to interpret code and scripts for Apple devices such as MacBooks. Based on inter-application messages called AppleEvents, any application is a potential target for the adversary who has mastered AppleScript manipulation. Some of the most nefarious tactics include:
- Intercepting SSH connections
- Moving to remote machines
- Accessing Native APIs (due to AppleScript supporting this functionality since Yosemite)
An interesting use case for security professionals working with Apple machines is that the adversary will identify WScript.shell before launching an attack. This functionality is the Windows Script Shell. If the .shell file cannot be found, a reverse Python shell is created via AppleScript to execute malicious code. Some examples of this type of attack occurring include OSX/Dok and Bundlore.
T1059.003 – Windows Command Shell (cmd)
What cybercriminal would say that they are skilled in their illicit craft if they did not know how to utilize cmd[.]exe to their advantage? The Windows Command Shell is a versatile tool that gives the adversary many ways to exploit a victim’s system, however the /c parameter seems to be the most common.
Running /c ([carry] out the command specified by string and then terminates) is the basis of malware such as WastedLocker. By focusing attacks on Garmin products, WastedLocker created delays to evade detection, deleted service executables, modified file attributes through the attrib command, and executed payloads.
Numerous other examples of the malicious use of cmd include Chimera, Cobalt Strike, HermeticWizard, and QakBot.
T1059.004 – Unix Shell
Back to macOS, but with Linux and BSD too this time. Using the various Unix shells on Unix-like OSs, the adversary can leverage the likes of Bourne Shell, Bourne-Again Shell, zsh, ksh, and SSH to attack victim machines. Again, as these attacks are not restricted to one type of shell, they are varied and give threat actors a wide range of ways to attack.
All Unix shells offer both a CLI and a scripting language to execute shell scripts. Using this dual functionality, we see a wide range of attack types such as the use of SSH to move laterally and connect with command and control (C2) centres, quickly launch multiple commands on a victim, creating a reverse shell, starting or killing OS services and applications, and downloading payloads.
T1059.005 – Visual Basic
If you need a programming language that easily interoperates with COM and Native API, Virtual Basic (VB) is another Windows-specific language. Whether you are just accessing command interpreters with basic VB or building malicious scripts with VBA or VBScript, the versatile language can be used to launch both major types of attacks.
Integrating with COM and Native API mechanisms means that malware such as Ursnif, Qakbot, and Dridex have all been successfully dropped by the adversary through VB-related attacks.
How do I defend my organization against command and scripting interpreter attacks?
Mitigating command and scripting interpreter attacks are difficult. The MITRE ATT&CK framework only offers one method for stopping this technique:
- M1038 – Execution Prevention
In effect, this means blocking any execution of code via application control or script blocking. This approach is inelegant and requires a great deal of cybersecurity overhead – you either create a blacklist and are constantly playing catch up with the latest attacks from the adversary or you create a whitelist and meticulously build a collection of safe processes that won’t harm your system. Thanks to other techniques in our MITRE ATT&CK breakdown, this probably won’t be completely bulletproo either.