Command and Scripting Interpreter
May 1, 2024 · View on GitHub
| ID | E1059 |
| Objective(s) | Execution |
| Related ATT&CK Techniques | Command and Scripting Interpreter (T1059, T1623) |
| Version | 2.2 |
| Created | 2 August 2022 |
| Last Modified | 30 April 2024 |
Command and Scripting Interpreter
Malware may abuse command and script interpreters to execute commands, scripts, or binaries. This is often done to carry out various malicious activities, such as exploring the system, escalating privileges, or exfiltrating data. Built-in command-line interpreters or scripting environments of the operating system, such as cmd.exe or Powershell on Windows, or Bash on Unix-like systems, are often used. Additionally, adversaries may use other scripting languages like Python, Perl, or Javascript.
See ATT&CK: Command and Scripting Interpreter (T1059, T1623).
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| Poison Ivy | 2005 | -- | After the Poison Ivy server is running on the target machine, the attacker can use a Windows GUI client to control the target computer. [1] |
| WebCobra | 2018 | -- | From the command line, the malware drops and unzips a password-protected Cabinet archive file. [1] |
| GoBotKR | 2019 | -- | GoBotKR uses cmd.exe to execute commands. [2] |
| Kovter | 2016 | -- | The malware executes malicious javascript and powershell. [3] |
| SamSam | 2015 | -- | SamSam uses a batch file for executing the malware and deleting certain components. [4] |
| Shamoon | 2012 | -- | The wiper component of Shamoon creates a service to run the driver with the command: sc create hdv_725x type= kernel start= demand binpath= WINDOWS\hdv_725x.sys 2>&1 >nul and sends an additional reboot command after completion. Shamoon also accepts command line arguments.[5] |
| Stuxnet | 2010 | -- | Stuxnet will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell. [6] |
| EvilBunny | 2011 | -- | EvilBunny executes Lua scripts. [7] |
| Netwalker | 2020 | -- | Netwalker is written and executed in Powershell. [8] |
| CryptoLocker | 2013 | -- | The malware accepts command line arguments. [9] |
| Dark Comet | 2008 | -- | The malware accepts command line arguments. [9] |
| Gamut | 2014 | -- | Gamut accepts command line arguments. [9] |
| Hupigon | 2013 | -- | Hupigon accepts command line arguments. [9] |
| Mebromi | 2011 | -- | Mebromi accepts command line arguments. [9] |
| Redhip | 2011 | -- | Redhip accepts command line arguments. [9] |
| Rombertik | 2015 | -- | The malware accepts command line arguments. [9] |
| SearchAwesome | 2018 | -- | The malware installs a script to inject a JavaScript script and modify web traffic. [10] |
| TrickBot | 2016 | -- | TrickBot accepts command line arguments. [9] |
| UP007 | 2016 | -- | The malware accepts command line arguments. [9] |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| accept command line arguments | Command and Scripting Interpreter (E1059) | GetCommandLine, CommandLineToArgv, System.Environment::GetCommandLineArgs |
| run PowerShell expression | Command and Scripting Interpreter (E1059) | System.Management.Automation.PowerShell::Create, System.Management.Automation.PowerShell::AddScript, System.Management.Automation.PowerShell::Invoke |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| office_postscript | Command and Scripting Interpreter (E1059) | NtWriteFile |
| js_suspicious_redirect | Command and Scripting Interpreter (E1059) | CDocument_write, JsEval, COleScript_ParseScriptText, COleScript_Compile |
| odbcconf_bypass | Command and Scripting Interpreter (E1059) | -- |
| regsvr32_squiblydoo_dll_load | Command and Scripting Interpreter (E1059) | LdrLoadDll |
| squiblydoo_bypass | Command and Scripting Interpreter (E1059) | -- |
| squiblytwo_bypass | Command and Scripting Interpreter (E1059) | -- |
| exe_dropper_js | Command and Scripting Interpreter (E1059) | JsEval |
| persistence_registry_script | Command and Scripting Interpreter (E1059) | RegSetValueExA, RegSetValueExW, NtSetValueKey |
| ie_martian_children | Command and Scripting Interpreter (E1059) | -- |
| bcdedit_command | Command and Scripting Interpreter (E1059) | ShellExecuteExW, NtCreateUserProcess, CreateProcessInternalW |
| office_martian_children | Command and Scripting Interpreter (E1059) | -- |
| js_phish | Command and Scripting Interpreter (E1059) | JsEval, COleScript_ParseScriptText, COleScript_Compile |
| disables_winfirewall | Command and Scripting Interpreter (E1059) | -- |
| script_tool_executed | Command and Scripting Interpreter (E1059) | -- |
| cmdline_obfuscation | Command and Scripting Interpreter (E1059) | -- |
| cmdline_switches | Command and Scripting Interpreter (E1059) | -- |
| cmdline_terminate | Command and Scripting Interpreter (E1059) | -- |
| cmdline_forfiles_wildcard | Command and Scripting Interpreter (E1059) | -- |
| cmdline_http_link | Command and Scripting Interpreter (E1059) | -- |
| cmdline_long_string | Command and Scripting Interpreter (E1059) | -- |
| cmdline_reversed_http_link | Command and Scripting Interpreter (E1059) | -- |
| long_commandline | Command and Scripting Interpreter (E1059) | -- |
| powershell_renamed_commandline | Command and Scripting Interpreter (E1059) | -- |
| wmi_script_process | Command and Scripting Interpreter (E1059) | NtCreateUserProcess, CreateProcessInternalW |
| disables_mappeddrives_autodisconnect | Command and Scripting Interpreter (E1059) | ShellExecuteExW, NtCreateUserProcess, CreateProcessInternalW |
| system_account_discovery_cmd | Command and Scripting Interpreter (E1059) | -- |
| system_currently_loggedin_user_cmd | Command and Scripting Interpreter (E1059) | -- |
| system_info_discovery_cmd | Command and Scripting Interpreter (E1059) | -- |
| system_info_discovery_pwsh | Command and Scripting Interpreter (E1059) | -- |
| system_network_discovery_cmd | Command and Scripting Interpreter (E1059) | -- |
| system_network_discovery_pwsh | Command and Scripting Interpreter (E1059) | -- |
| system_user_discovery_cmd | Command and Scripting Interpreter (E1059) | -- |
| powershell_network_connection | Command and Scripting Interpreter (E1059) | URLDownloadToFileW, HttpOpenRequestW, send, WSAConnect, InternetCrackUrlW, InternetCrackUrlA, InternetReadFile |
| powershell_scriptblock_logging | Command and Scripting Interpreter (E1059) | -- |
| powershell_command_suspicious | Command and Scripting Interpreter (E1059) | -- |
| powershell_renamed | Command and Scripting Interpreter (E1059) | -- |
| powershell_reversed | Command and Scripting Interpreter (E1059) | -- |
| powershell_variable_obfuscation | Command and Scripting Interpreter (E1059) | -- |
| office_com_load | Command and Scripting Interpreter (E1059) | LdrGetDllHandle, LdrLoadDll |
| office_vb_load | Command and Scripting Interpreter (E1059) | LdrGetDllHandle, LdrLoadDll |
| office_wmi_load | Command and Scripting Interpreter (E1059) | LdrGetDllHandle, LdrLoadDll |
| document_script_exe_drop | Command and Scripting Interpreter (E1059) | NtWriteFile |
| windows_defender_powershell | Command and Scripting Interpreter (E1059) | -- |
| office_suspicious_processes | Command and Scripting Interpreter (E1059) | NtCreateUserProcess, CreateProcessInternalW |
| script_created_process | Command and Scripting Interpreter (E1059) | NtCreateUserProcess, CreateProcessInternalW |
| script_network_activity | Command and Scripting Interpreter (E1059) | URLDownloadToFileW, HttpOpenRequestW, send, WSAConnect, InternetCrackUrlW, InternetCrackUrlA, SslEncryptPacket, InternetReadFile |
| suspicious_js_script | Command and Scripting Interpreter (E1059) | JsEval, COleScript_ParseScriptText |
E1059 Snippet
Execution::Command and Scripting Interpreter
SHA256: 905b9db8cf5a3001318b28ee5dc674f8f65ca1e4306aab9e331b3bba24e7b8a8 Location: 0x41B7A6call dword ptr [->KERNEL32.DLL::GetCommandLineW]
References
[1] https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy
[2] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[3] https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan
[4] https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf
[5] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/
[6] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[7] https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/
[8] https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html
[9] capa v4.0, analyzed at MITRE on 10/12/2022
[10] https://www.malwarebytes.com/blog/news/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection
[11] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[12] https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
[13] https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy