1. Home
  2. Techniques
  3. Command and Scripting Interpreter

Command and Scripting Interpreter

Sub-techniques (1)
ID Name
T1059.009 Cloud API

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell [MITRE] while Windows installations include the Windows Command Shell [MITRE] and PowerShell [MITRE] .

There are also cross-platform interpreters such as Python [MITRE] , as well as those commonly associated with client applications such as JavaScript [MITRE] and Visual Basic [MITRE] .

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access [MITRE] payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services [MITRE] in order to achieve remote Execution.

Detection

Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

References

  1. mitre-attack
  2. Remote Shell Execution in Python
  3. Cisco IOS Software Integrity Assurance - Command History
  4. Powershell Remote Commands

Technique Information

ID: T1059
Aliases: T1059
Sub-techniques:
Tactics:
  • Execution
Platforms:
  • Linux
  • macOS
  • Windows
  • Network
  • Office 365
  • Azure AD
  • IaaS
  • Google Workspace
  • Amazon Web Services (AWS)
Created: 12 Sep 2024
Last Modified: 03 Jun 2025