Sub-techniques of Command and Scripting Interpreter Explained - MITRE ATT&CK T1059

LAST UPDATED ON FEBRUARY 13, 2025

In the Red Report 2025, we shared our insights on the top ten most prevalent MITRE ATT&CK techniques employed by adversaries. Following the publication of The Red Report 2025, we have initiated a blog series to delve into each of these ATT&CK techniques in more detail. This year, from a dataset of 1,000,000 observed malware samples, the Command and Scripting Interpreter technique stood out, accounting for 29% of cases. This translates to its presence in 302,443 malware samples, underlining its significant utilization by adversaries.

This blog post represents the first half of our series on the "Command and Scripting Interpreter" technique, where we dissect how adversaries leverage this method. To explore the sub-techniques associated with the T1059 Command and Scripting Interpreter technique, please click here for the second half of the blog.

Adversary Use of Command and Scripting Interpreters

Command and scripting interpreters (e.g., PowerShell, VBScript, Unix shells) are vital for automating tasks by system administrators and programmers. However, attackers exploit these tools to run harmful code on local and remote systems, carrying out activities like data collection, payload deployment, sensitive information access, and persistence via malicious binaries triggered at login. Since these pre-installed languages directly interact with the OS API, adversaries can operate discreetly, evading weak process monitoring. They also misuse LOLBins (Living Off the Land Binaries)—native system utilities used routinely—to download and execute files, perform reconnaissance, and exfiltrate data, often bypassing security policies that block known malicious executables. Although the T1059 technique is tied to MITRE ATT&CK's Execution tactic, attackers leverage native OS utilities across various tactics to achieve their objectives.

In the examples provided, adversaries utilize various native operating system (OS) utilities, which can be accessed through the command line, to achieve objectives aligned with each tactic in the MITRE ATT&CK framework.

#2.1. T1059.001 PowerShell 

PowerShell, an integral scripting language within the Windows operating system, empowers system administrators to automate user account creation and management, alter system configurations, oversee services and processes, and execute diverse tasks with deep access to Windows internals. Given its extensive array of inherent capabilities, adversaries frequently incorporate PowerShell into their attack life-cycle.

Adversary Use of PowerShell

Adversaries frequently avoid installing and utilizing third-party programs on compromised hosts. Such actions can readily trigger correlated alerts in SIEM products or leave traces of their presence on the system. To evade detection and execute stealthy attacks, adversaries often use built-in command-line and scripting utilities rather than third-party programs for executing their commands. PowerShell is one of these native built-in tools commonly observed in adversaries' arsenals. 

Adversaries deploy PowerShell to conduct a broad spectrum of attack techniques:

1. Downloading and Executing Malicious Payloads

PowerShell's versatility as a command and scripting framework makes it a prime target for malicious exploitation, particularly exemplified by the Pioneer Kitten threat group's activities observed in August 2024 [1]:

• The Invoke-WebRequest cmdlet is used to make HTTP or HTTPS requests to specified URLs. 
• Here, the -Uri parameter directs PowerShell to access the URL hxxp://files[.]catbox[.]moe, a site that hosts malicious payloads. 
• The -OutFile parameter specifies the location and name of the downloaded file, saving it to the public directory (C:\Users\Public\) as "malware.exe." This allows the attackers to discreetly deliver their payload onto the targeted system. 

In addition, adversaries often combine this technique with Windows PowerShell Web Access to execute commands remotely on compromised servers. This combination enables them to maintain control over systems, deploy further payloads, or exfiltrate data.

In another example, a phishing campaign analyzed by Cisco Talos in October 2024 involving the delivery of new PowerRAT malware revealed how adversaries employed PowerShell to execute malicious activities on compromised systems [2]. When a victim opens a malicious Microsoft Word document and enables its content, an embedded Visual Basic for Applications (VBA) macro is triggered. This macro decodes hidden Base64-encoded data within the document, extracting two components: a malicious HTML Application (HTA) file and a PowerShell loader script.

The macro saves these components to the user's profile directory and modifies the Windows registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LOAD to automatically execute the HTA file upon user login. When the system restarts, the HTA file runs, invoking the PowerShell loader script, which subsequently loads and executes the PowerRAT malware directly into memory. 

This sequence demonstrates how adversaries leverage PowerShell's capabilities to facilitate fileless malware execution, thereby evading traditional detection mechanisms.

2. Impair Defenses (ATT&CK T1562)

PowerShell is a favored tool among adversaries for its robust capabilities and seamless integration with the Windows operating system, allowing them to execute malicious operations, including disabling critical security features. Its versatility and scripting power make it a prime target for abuse in attacks.

One illustrative example, reported in November 2024, is a PowerShell-based script attributed to the BianLian ransomware group [3], which demonstrates a technique to disable Windows' Antimalware Scan Interface (AMSI), a core defense mechanism for detecting and preventing script-based malware execution. 

The script leverages .NET reflection to bypass AMSI, as shown below:

This script exploits PowerShell's reflective capabilities to dynamically access the System.Management.Automation.AmsiUtils class and manipulate the private static field amsiInitFailed. This field tracks AMSI's initialization state, and by setting it to true, the script effectively disables AMSI, marking it as non-functional. With AMSI bypassed, malicious scripts can execute without being inspected or flagged, evading detection by antivirus and endpoint protection solutions.

Another example, highlighted in a DFIR report released in August 2024, involves the exploitation of PowerShell by command-and-control frameworks such as Sliver and PoshC2 [4]. These frameworks use the following commands to manipulate essential security services on Windows systems:

These commands sequentially disable the Windows Defender feature, restart the Windows Defender service, and forcibly restart the Windows Firewall service. Such actions not only disrupt the built-in security mechanisms but also leave the system vulnerable to further exploitation, enabling attackers to maintain persistence and execute malicious activities undetected.

Again, in our final example, a report released by CISA in November 2024 highlights the tactics employed by Black Basta ransomware affiliates. The attackers leveraged Powershell scripting to disable Endpoint Detection and Response (EDR) tooling. By neutralizing these critical defense mechanisms, the affiliates successfully evaded detection, maintained persistence, and facilitated the execution of their ransomware payloads.

These examples underscore the increasing sophistication of ransomware groups and the necessity for robust defenses capable of detecting and mitigating such targeted attacks.

3. Obfuscated Files or Information (ATT&CK T1027)

Adversaries frequently leverage PowerShell in their campaigns, exploiting its capabilities for obfuscation and deobfuscation to seamlessly conceal and execute malicious scripts. A notable example is the PowerShell decryptor employed in the CoralRaider campaign [5], a critical component of a multi-stage infection chain designed to deliver malware payloads while evading detection.

In this campaign analyzed in April 2024, the PowerShell decryptor script is embedded within an obfuscated HTML Application (HTA) file. Upon execution, it decrypts an AES-encrypted block of data using a 256-byte key derived from a base64-encoded string and a 16-byte initialization vector (IV) set to all zeros [5]. This step unpacks the next-stage PowerShell loader script, which operates entirely in memory, minimizing detectable artifacts.

The loader script then performs several malicious functions, including bypassing User Account Control (UAC) protections by abusing legitimate Windows binaries like FoDHelper.exe. It also modifies registry settings and adds specific directories to the Windows Defender exclusion list, ensuring the persistence and undetected execution of subsequent stages.

Ultimately, the campaign downloads and executes information stealers such as CryptBot, LummaC2, or Rhadamanthys. By combining encryption, obfuscation, and the use of trusted system processes, the PowerShell decryptor establishes a stealthy and efficient malware delivery mechanism, making it difficult for traditional security defenses to detect or analyze the attack.

Publicly Available PowerShell Tools Utilized by Threat Actors

PowerShell's extensive capabilities have made it a favored tool among red teamers and penetration testers, leading to the creation of powerful, publicly available frameworks and tools for red teaming and penetration testing. Prominent examples include Empire [6] for post-exploitation tactics, PowerSploit [7] for security testing, Nishang [8] with varied attack functionalities, PoshC2 [9] for server administration and post-exploitation, and Posh-SecMod [10] offering security and forensic tools. 

#2.2. T1059.002 AppleScript  

AppleScript is a scripting language designed for macOS that enables users to automate tasks and control applications. It operates through AppleEvents, a communication method which, while powerful, can be exploited by adversaries to manipulate application functions and data for malicious purposes.

Despite their capabilities, it's important to recognize that AppleEvents, while unable to initiate remote applications, can interact with and manipulate already running applications. This allows for actions like interacting with open SSH connections, facilitating remote machine access, or creating deceptive dialog boxes. Additionally, AppleScript can leverage native APIs, particularly NSAppleScript or OSAScript, enhancing versatility and application in various scenarios from macOS version 10.10 Yosemite onwards.

For execution, the osascript command is used in the terminal. To run a script file, the command is osascript /path/to/AppleScriptFile, while osascript -e "script here" runs an AppleScript command directly. For instance, osascript -e 'tell app "System Events" to display dialog "System error detected!"' creates a fake error dialog, a tactic often used in social engineering attacks.

Adversary Use of AppleScript

Adversaries can perform a variety of malicious activities by AppleScript.

1. Abuse Elevation Control Mechanism: Elevated Execution with Prompt (T1548.004)

AppleScript can be used to abuse elevation control mechanisms on macOS systems, enabling adversaries to gain elevated privileges and execute malicious actions.

For instance, the AppleScript command given below is used by the HeavyLift malware to elevate its privileges on macOS systems [11]. Upon execution, HeavyLift determines the operating system it is running on. If it detects macOS and finds that it does not have root privileges, it uses the following command:

This command leverages osascript, a macOS utility for running AppleScript, to execute a shell command (bash -c) as an administrator. The placeholder _process_path represents the path to the malicious payload or script that the malware aims to execute with elevated privileges. By appending the with administrator privileges clause, the malware triggers a system prompt to grant root access, allowing it to bypass restrictions and carry out its malicious activities.

This technique highlights how adversaries exploit legitimate macOS features to achieve privilege escalation, underscoring the importance of monitoring and restricting the use of such utilities to mitigate potential threats.

2. Credential Access with GUI Input Capture (T1056.002)

Through GUI-based input capture, adversaries can create scenarios that seamlessly mimic legitimate system behaviors, effectively harvesting credentials without arousing immediate suspicion.

One perfect example is from MacStealer's methodology where the adversaries employ osascript to execute AppleScript code inline [12]. This generates a deceptively simple yet persuasive dialog box. For instance, an attacker might execute the following command:

This script creates a pop-up dialog designed to resemble a legitimate macOS system prompt. The crafted message, "macOS wants to access the System Preferences," is paired with an authoritative title and a cautionary icon to instill a false sense of urgency. The inclusion of a hidden text input field further reinforces the illusion of a routine security measure, subtly coaxing the user into entering their credentials.

This technique, while straightforward, capitalizes on the inherent trust users place in system prompts. It underscores the adversary's ability to exploit human behavior as a vector for initial access.

#2.3. T1059.003 Windows Command Shell 

The Windows Command Shell, known as cmd.exe or cmd, is a core application embedded in the Windows operating system. It may not offer the advanced capabilities of PowerShell, but it remains a tool often exploited by adversaries for executing a variety of malicious activities. These activities include running arbitrary scripts, circumventing security measures, and facilitating lateral movements within networks.

Cmd is particularly adept at constructing and managing batch scripts saved as .bat or .cmd files. These batch files are text documents containing a series of commands for cmd.exe. When executed, they automate complex and repetitive tasks, such as user account management or performing systematic nightly backups. This functionality, while beneficial for legitimate use, also opens doors for misuse in malicious hands.

Adversary Use of Windows Command Shell

Adversaries frequently exploit cmd.exe in Windows, using it with the /c parameter followed by a specific option, as in cmd.exe /c <option>. The /c parameter instructs the command shell to execute the command outlined in the subsequent string. After executing this specified command, the shell automatically terminates. 

1. Credential Dumping (T1003.001)

In November 2024, a CISA advisory detailed how BianLian threat actors utilized a command to dump credentials from the Local Security Authority Subsystem Service (lsass.exe) [3]. By leveraging cmd.exe, the attackers crafted a malicious command that uses legitimate system utilities to extract sensitive information.

Here is the specific command used:

This command first identifies the process ID (PID) of lsass.exe using tasklist and filters it with the find utility. It then invokes rundll32.exe to call comsvcs.dll and create a minidump of lsass.exe, storing the dump as a CSV file in the specified directory. The design of the command is intentional, exploiting the ability of rundll32.exe and comsvcs.dll to operate as legitimate Windows tools. This allows the attackers to generate memory dumps that contain sensitive credentials without triggering immediate suspicion.

2. Downloading and Executing Information Stealers 

Adversaries frequently exploit the Windows Command Shell to deliver and execute malicious payloads within compromised environments. In November 2024, security researchers observed the emergence of a new threat, a new version of PXA Infostealer, actively being deployed in the wild [13].

One instance of its deployment involved the execution of the following command:

This command uses the start command with the /min flag to launch the malicious payload, synaptics.exe, in a minimized window, reducing the likelihood of detection by the user. The payload then executes a Python script embedded within the command.

The script operates in three stages:

1. Downloading the Script: It fetches a base64-encoded script from the attacker's server (hxxps[://]tvdseo[.]com/file/PXA/PXA_BOT) using the urllib.request library.

2. Decoding: The script decodes the fetched base64-encoded content.

3. Execution: Finally, it executes the decoded script, initiating the PXA stealer's functionality.

This method enables the attacker to deliver and execute complex malware components while masking the malicious activity behind legitimate system utilities. 

3. Gaining Access to Sensitive Data

Adversaries often exploit built-in tools to access sensitive data within compromised environments. In April 2024, a CISA advisory detailed how the Akira ransomware group leveraged system commands to extract user data stored in web browsers like Firefox and Chrome [14]. The following commands were used:

In these commands, the attackers used esentutl.exe, a legitimate database recovery tool built into Windows, to copy database files containing sensitive user data.

• Firefox Command:

The command accesses key4.db, a database file used by Firefox to store encrypted credentials, located within the user's Firefox profile directory. This file holds encrypted login information that attackers can decrypt offline.

• Chrome Command:

Similarly, this command targets Chrome's Login Data file, which contains encrypted passwords saved within the browser. The attackers not only access this file but also create a .tmp copy for potential manipulation or offline decryption.

4. Information Discovery & Persistence with Scheduled Tasks

The Interlock ransomware, identified in November 2024, demonstrates a calculated and multifaceted approach to leveraging command-line utilities for malicious purposes [15]. One notable command executed by the Remote Access Tool (RAT) embedded within the fake Chrome browser updater is:

This command gathers detailed system information such as OS configuration, physical and virtual memory statistics, and network details. The collected data is encrypted and transmitted to a C2 server for further exploitation. Additionally, the attacker utilizes PowerShell scripts to deploy credential-stealing and keylogging binaries, enhancing their data exfiltration capabilities.

To maintain persistence, the ransomware also employs the schtasks utility:

This task ensures the ransomware runs daily as a SYSTEM user, solidifying its foothold within the victim's network. By employing these commands alongside tactics like lateral movement through RDP and AnyDesk, the attackers exhibit a sophisticated strategy that underscores the critical need for robust endpoint defenses and vigilant monitoring of command-line activities.

5. Protocol Tunneling (T1572) & Connection Proxy: External Proxy (T1090.003)

The UAT-5647 group, discovered in October 2024, targets Ukrainian and Polish entities, employs advanced malware like RustClaw, DustyHammock, and ShadyHammock, leveraging command-line utilities for system reconnaissance, lateral movement, and data exfiltration. 

A critical tactic involves tunneling internal systems to attacker-controlled endpoints using the PuTTY's Plink utility, as seen in the following command [16]:

This command effectively maps internal ports to external servers, enabling the attackers to bypass traditional network defenses. By exposing internal services through port redirection, UAT-5647 can brute force credentials, monitor network traffic, or exfiltrate sensitive configurations from the compromised infrastructure.

Once inside the network, the attackers shift their focus to reconnaissance. Leveraging PowerShell, they perform ping sweeps to identify active systems within the victim's environment:

This scanning technique allows the threat actors to identify live hosts and prioritize their targets. Following this, they deploy customized batch files, such as nv.bat, to enumerate network shares and identify accessible resources:

With their targets identified, UAT-5647 proceeds to extract data.

#2.4. T1059.004 Unix Shell 

The Unix shell, an essential command-line interface for Unix-like operating systems, incorporates several variants, including the Bourne Shell (sh), Bourne-Again Shell (bash), Z Shell (zsh), Korn Shell (ksh), and Secure Shell (SSH). These shells offer a range of commands and functionalities for efficient file management and program execution. 

The Unix shell is not just an interactive interface but also a scripting environment, allowing users to write scripts for automating tasks and system operations. Its scripting language supports various programming features such as conditional statements, loops, file operations, and variables, making it a versatile tool for system automation and management.

Adversary Use of Unix Shell

The Unix shell's versatile functionality and adaptability render it a valuable resource for both authorized users and malicious actors. Adversaries exploit the Unix shell to carry out diverse commands and deploy payloads, including malware or other malicious code, on a target system. Unix shell commands frequently feature prominently in the arsenal of techniques employed by adversaries in their attack campaigns.

1. Exploitation with SSH

In January 2024, security researchers uncovered multiple vulnerabilities in the OAS Engine, exposing critical flaws in its existing releases [17]. The exploitation of vulnerabilities in the OAS Engine illustrates how seemingly minor issues can be combined to achieve significant privilege escalation on Unix-based systems. After gaining authentication, an attacker can explore the filesystem for critical files like sshd_config or .ssh/authorized_keys, using commands such as:

This reconnaissance helps identify SSH configurations and determine if public key authentication is enabled. Leveraging the OAS Engine's vulnerabilities, the attacker manipulates the system to inject their SSH public key into the authorized_keys file, mimicking a command like:

This ensures persistent access, allowing them to connect via SSH:

With shell access established, the attacker may further manipulate configuration files, such as .bashrc or .zshrc, to modify the environment and maintain control, for example:

By combining application vulnerabilities with Unix shell tools, the attacker gains elevated access and system control, highlighting the critical need for timely patching and secure configurations.

2. Impair Defenses: Modify System Firewall (T1562.004)

In another example showcased by CISA in July 2024, APT40 leverages Unix shell tools extensively to maintain access and execute commands on compromised systems [18]. After gaining initial access, the group deploys web shells, enabling arbitrary command execution through Unix shells such as bash or zsh. This provides a flexible environment for reconnaissance, credential harvesting, and lateral movement. 

For instance, the actors use tools like nmap for network scanning, as well as commands such as iptables-save to manipulate firewall configurations and create unauthorized access points:

These actions enable persistence and facilitate exfiltration over secure or tunneled channels. 

3. Downloading, Loading and Executing Malicious Payloads

In the CISA advisory released in February 2024, Volt Typhoon adversaries leveraged Unix Shell as part of their command and scripting interpreter techniques to maintain and expand their access within compromised environments [19]. Specifically, the Unix Shell was utilized alongside other command-line interfaces such as PowerShell and Windows Management Instrumentation (WMI), providing the attackers with a versatile and stealthy means of executing commands, managing processes, and streaming data across networks. 

This method, facilitated through tools like Brightmetricagent.exe, demonstrates their ability to integrate advanced shell capabilities for bi-directional data streaming, remote execution, and precise manipulation of compromised systems while evading detection through legitimate system processes.

#2.5. T1059.005 Visual Basic 

Visual Basic (VB) is a programming language initially developed by Microsoft, stemming from the BASIC language. Known for its user-friendly and straightforward nature, VB has gained popularity as a choice for application development and process automation. Its ability to interact with various technologies, such as the Component Object Model (COM) and the Native API, makes it a valuable tool for individuals with malicious intent, enabling them to execute code on targeted systems.

In addition to the core Visual Basic language, attackers also exploit related languages derived from it for scripting purposes, namely Visual Basic for Applications (VBA) and VBScript (Microsoft Visual Basic Scripting Edition).

Adversary Use of Visual Basic

As a competent and versatile tool, Visual Basic is leveraged by adversaries to its fullest extent for malicious activities.

Downloading, Loading, and Executing Malicious Payloads

Visual Basic can be exploited to download, load, and execute malicious payloads by embedding harmful scripts or code into VBScript or VBA macros. These scripts leverage built-in functions like XMLHTTP or WinHTTP to retrieve payloads from remote servers and execute them using commands such as Shell or CreateObject. Notably, cybersecurity reports from 2024 highlighted the widespread abuse of Visual Basic and its derivatives, including VBA and VBScript, by threat actors to deploy malicious code on targeted systems.

Void Banshee Campaign

In July 2024, security researchers reported on the Void Banshee campaign, which targeted Windows users through a vulnerability identified as CVE-2024-38112 [20]. The attack chain involved the use of a malicious HTML Application (HTA) file* containing a VBScript. This script decrypted XOR-encrypted content and executed it using PowerShell, facilitating the download and execution of additional malicious scripts from compromised web servers.

CoralRaider Campaign

In April 2024, another researcher uncovered the CoralRaider campaign, which targeted victims' data and social media accounts [21]. The attackers employed a malicious VBScript embedded within an HTA file. This VBScript executed an embedded PowerShell script in memory, which sequentially ran additional scripts to perform anti-virtual machine and anti-analysis checks, bypass User Access Controls, disable Windows and application notifications, and ultimately download and execute the RotBot malware. 

Water Hydra Campaign

The final example is from February 2024, researchers analyzed the Water Hydra campaign, which exploited a vulnerability (CVE-2024-21412) to bypass Microsoft Defender SmartScreen [22]. The final payload of this attack was a RAT known as DarkMe, written in Visual Basic. This malware communicated with its command-and-control server using a custom protocol over TCP, demonstrating the sophisticated use of Visual Basic in executing malicious operations. 

These instances underscore the persistent threat posed by adversaries leveraging Visual Basic and its scripting variants to execute malicious code and maintain unauthorized access to targeted systems.

#2.6. T1059.006 Python 

Python, a high-level interpreted programming language, has gained popularity among adversaries for its simplicity and versatility. With its extensive standard library and cross-platform availability on various operating systems, Python serves as a valuable tool for automating processes, executing code, and interacting with different systems. Adversaries frequently employ Python to carry out a range of malicious activities.

Adversary Use of Python

The versatility and portability of Python render it a valuable asset for attackers in their operations. Python can seamlessly run on most operating systems and can be readily integrated into various tools and frameworks.

1. Malicious Scripting for Credential Harvesting

In January 2024, CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory detailing the Androxgh0st malware, a Python-scripted threat primarily used to target .env files containing confidential information, such as credentials for high-profile applications like Amazon Web Services (AWS) and Microsoft Office 365 [23]. Threat actors deploying Androxgh0st have been observed exploiting specific vulnerabilities, including CVE-2017-9841, to remotely execute code on vulnerable websites via PHPUnit.

2. Downloading Malicious DLLs with Python-based Scripting

In May 2024, researchers reported on a campaign targeting Brazilian users with a new banking trojan named "CarnavalHeist" [24]. The attack chain involved a Windows batch file that downloaded a Python interpreter from the official Python FTP server and installed it in a malware-created folder. Subsequently, an embedded base64-encoded Python script was executed, serving as a loader to inject a malicious DLL payload into memory:

#2.7. T1059.007 JavaScript 

JavaScript, a high-level language used for interactive web pages and applications, follows the ECMAScript specification for cross-browser compatibility. However, its widespread use and flexibility also make it a tool for malicious actors to execute phishing, spread malware, and extract sensitive data, exploiting web browser and application vulnerabilities.

Adversary Use of JavaScript

Adversaries leverage JavaScript for a variety of malicious purposes. 

Downloading, Loading and Executing Malicious Payloads

In October 2024, security researchers analyzed the WarmCookie malware family, also known as BadSpace, which emerged in April 2024. This malware was distributed via malspam and malvertising campaigns, often utilizing malicious JavaScript downloaders hosted on compromised servers [25]. 

In this campaign, JavaScript plays a critical role in WarmCookie's infection chain. The malware leverages malicious JavaScript downloaders hosted on compromised servers to execute the next stage of the attack. These JavaScript files are obfuscated to evade detection and are typically delivered via malspam or malvertising campaigns. 

Once executed, the JavaScript deobfuscates and runs a PowerShell command, which retrieves and executes the WarmCookie DLL payload. This use of JavaScript as a downloader highlights its utility in initiating malware infections by bridging the gap between delivery and execution stages, making it an effective tool for attackers.

In the Water Makara spear phishing campaign, discovered in October 2024, JavaScript is employed as a core component of the attack chain to facilitate malware delivery and evasion [26]. The attackers embed heavily obfuscated JavaScript commands within LNK files and HTML attachments, leveraging techniques like Base64 encoding and variable renaming to bypass security defenses. Once executed via legitimate utilities such as mshta.exe, the JavaScript decodes and reconstructs malicious URLs or payloads dynamically, enabling the download and execution of the Astaroth information-stealing banking trojan. 

Additionally, the campaign utilizes JavaScript's GetObject function to retrieve and execute objects from attacker-controlled C&C servers. This sophisticated use of JavaScript allows the attackers to exploit legitimate tools and evade detection, making the campaign highly effective against its Brazilian targets.

#2.8. T1059.008 Network Device CLI

Network administrators frequently utilize Command Line Interpreters (CLIs) for network device management and upkeep. Malicious actors may exploit these CLIs to manipulate network device functionality to their advantage, including altering device configurations or executing unauthorized operations.

Access to CLIs is typically achieved by utilizing a terminal emulator program with the device's IP address and corresponding username and password. Upon successful login, users can input commands to perform various tasks, such as inspecting or modifying device configurations, monitoring real-time statistics and data, or observing the device's performance. CLIs generally provide an array of device-specific and operating system-specific commands.

Adversary Use of Network Device CLI

Network device Command Line Interface (CLI) represents a common focal point for adversaries seeking to manipulate the functionality of network devices.

Various methods exist through which adversaries attempt to gain unauthorized access to a network device's CLI. One prevalent approach involves employing brute force attacks, wherein the adversary systematically tests different combinations of usernames and passwords to ascertain the correct credentials. This process can be automated using specialized tools. Discovering the credentials for a network device may prove straightforward, as many users neglect to change default usernames and passwords.

Exploiting these CLIs by adversaries enables them to modify network device behavior to their advantage, potentially leading to unauthorized actions and disruptions in network operations.

ArcaneDoor Campaign

In April 2024, researchers uncovered the "ArcaneDoor" campaign, where state-sponsored actors exploited vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) software.

In this espionage-focused campaign, adversaries exploited the network device CLI (Command Line Interface) to manipulate and control compromised perimeter network devices. Using their custom malware, "Line Dancer," the attackers executed specific commands to modify configurations, exfiltrate data, and maintain stealth. By issuing commands like show configuration, they extracted detailed device configurations, enabling further reconnaissance and lateral movement. The attackers also disabled logging through CLI to avoid detection and conceal their activities. Additionally, they used the CLI to create and exfiltrate packet captures, providing insights into network traffic. Commands like write mem were employed to save malicious changes to the device's memory, ensuring persistence. These malicious actions leveraged the CLI's legitimate functionality to execute their espionage operations effectively.

These commands showcase how the attackers leveraged the CLI to perform reconnaissance, modify system behavior, and exfiltrate critical data while evading detection.

#2.9. T1059.009 Cloud API

Cloud Application Programming Interfaces (APIs) have emerged as pivotal elements in modern cloud computing, offering a comprehensive means for programmatically interacting with a wide array of cloud services. These APIs, integral to cloud environments like AWS, Azure, and Google Cloud Platform (GCP), provide functionalities spanning various domains such as compute, storage, identity and access management (IAM), networking, and security policies. 

Accessible through multiple interfaces, including command line interpreters (CLIs), browser-based Cloud Shells, and PowerShell modules like Azure for PowerShell, these APIs facilitate seamless integration and management of cloud resources. Additionally, software development kits (SDKs) for popular programming languages like Python further streamline the use of these APIs, enabling developers to embed cloud functionalities directly into their applications.

Adversary Use of Cloud API

The versatile nature of cloud APIs, while beneficial for legitimate management and automation, also opens up avenues for exploitation by adversaries. These APIs, when accessed with appropriate permissions (like Application Access Tokens or Web Session Cookies), can be used to carry out a range of actions that could compromise cloud environments. Malicious actors can exploit these interfaces to execute commands or scripts remotely, potentially affecting multiple aspects of a cloud tenant's infrastructure. The accessibility of these APIs, through both cloud-hosted and on-premises hosts or via browser-based cloud shells provided by cloud platforms, amplifies the risk. The cloud shells, in particular, offer a unified environment for using CLI and scripting modules, which, if misused, can lead to significant security breaches within the cloud infrastructure.

Downloading, Loading, and Executing Malicious Payloads

In May 2024, cybersecurity researchers observed a significant uptick in the exploitation of the Microsoft Graph API by threat actors [27]. These adversaries leveraged the API to establish covert communication channels for malware, effectively blending malicious traffic with legitimate cloud service activities to evade detection. 

Notably, several nation-state-aligned hacking groups, including APT28, REF2924, Red Stinger, Flea, APT29, and OilRig, were identified utilizing the Microsoft Graph API for command-and-control (C&C) communications. This tactic involved hosting C&C infrastructure on Microsoft cloud services, thereby masking malicious operations within trusted platforms. 

A specific instance involved the deployment of a previously undocumented malware named BirdyClient* (also known as OneDriveBirdyClient) against an organization in Ukraine. This malware used the Microsoft Graph API to interact with OneDrive, serving as a C&C server for uploading and downloading files. The malicious DLL associated with BirdyClient was designed to mimic legitimate software components, further complicating detection efforts.

The increasing abuse of the Microsoft Graph API underscores the challenges organizations face in securing their networks against sophisticated cyber threats that exploit trusted cloud services. To mitigate such risks, it is imperative to implement robust monitoring of API activities, enforce strict access controls, and maintain up-to-date security measures across all cloud-based platforms.

#2.10. T1059.010 AutoHotKey & AutoIT

AutoHotKey (AHK) and AutoIt are scripting languages and automation tools designed for automating repetitive tasks and creating macros on Windows systems. This highlights how attackers utilize AHK and AutoIt to execute malicious code or automate actions on compromised systems. These tools are frequently used for tasks such as keystroke injection, user interface manipulation, and creating system macros, enabling actions that typically fall outside the standard operations of legitimate software.

Adversary Use of AutoHotKey & AutoIT

AutoHotKey and AutoIT are popular due to their simplicity and flexibility in automating tasks and creating standalone scripts that can be executed on Windows environments without requiring external tools or complex infrastructure. While both tools are legitimate, they can be weaponized by adversaries to carry out malicious actions, making them useful in the context of cyberattacks.

AutoHotKey:

AutoHotKey is a free, open-source scripting language primarily designed for automating the Windows GUI and general scripting. It allows users to create macros and automate repetitive tasks. The language is highly accessible, and attackers can use it to:

• Simulate keypresses and mouse movements to interact with the system.
• Inject malicious payloads into running applications.
• Perform credential theft by capturing sensitive information, such as passwords, by simulating user input.

Attackers can compile these scripts into executable files (.exe), which are often harder to detect than regular scripts since they appear as standard executables. They can then be distributed or executed on victim machines to perform tasks like launching malware or performing reconnaissance.

AutoIT:

AutoIT is another scripting language designed for automating the Windows GUI. While it is similar to AutoHotKey in functionality, it is often used for more complex scripting, such as system management and creating automated installation packages. Like AutoHotKey, AutoIT scripts can be compiled into standalone executables that attackers can use for:

• Automating processes within malicious software.
• Installing backdoors, including by interacting with the Windows system registry or user environment.
• Downloading and executing additional payloads.

AutoIT can be used by attackers to perform a wide range of actions, such as executing files, controlling user systems, and running other malicious programs, making it a powerful tool for adversaries when they want to remain undetected or perform automated tasks with minimal interaction.

For instance, in March 2024, researchers observed a shift in the DarkGate malware campaign, transitioning from AutoIT to AutoHotKey scripts to enhance stealth and automation [29]. 

Here's how AutoIt scripts were utilized in this campaign:

The attackers packaged the DarkGate payload within a fake MSI installer that included a custom DLL file and AutoIt components. Upon execution, the AutoIt script decrypted the malware payload and loaded it into memory. This script, embedded within the MSI file, was responsible for executing several stages of the malware delivery chain, ensuring that the payload remained concealed and difficult to detect.

The AutoIt loader extracted multiple files, including the main AutoIt script, and executed them to decrypt and load the next stage of the malware. It utilized encoded data from an external source (test.txt) and processed it to construct malicious commands and further payloads [30]. The script dynamically allocated memory and modified execution permissions to facilitate the loading and execution of the DarkGate RAT in memory without touching the disk, effectively bypassing traditional security measures.

By leveraging AutoIt, the attackers could automate the complex processes required to decrypt and execute the malware while avoiding detection, demonstrating the scripting language's adaptability for malicious purposes. This campaign highlights the misuse of legitimate automation tools like AutoIt in sophisticated cyberattacks.

#2.11. T1059.011 Lua

Lua is a lightweight, high-level scripting language designed for simplicity and flexibility, often used for embedding into applications to enable customization and automation. Its speed, portability, and ease of integration make it popular in game development, configuration management, and extensibility for software tools. However, its benign nature and flexibility also make Lua an appealing tool for adversaries in cyber operations. 

Adversary Use of Lua

Adversaries exploit Lua's capabilities to script and execute malicious activities. Since Lua can be embedded in various software environments and execute dynamic code, attackers can integrate it into malware frameworks or modify legitimate software to serve their purposes. Examples of adversary use include, such as, payload execution, evasion techniques, system automation and reconnaissance, and fileless attacks.

The use of Lua by adversaries demonstrates the dual-edged nature of scripting languages: while powerful for legitimate applications, their adaptability can be exploited in malicious contexts, highlighting the importance of monitoring scripting activity within systems.

For instance, in October 2024, security researchers identified Lua malware targeting the educational sector, exploiting Lua gaming engine supplements popular among students. Originating as a packed Lua loader earlier in the year, the malware has evolved into a global threat, often delivered as ZIP archives containing obfuscated Lua scripts and components like Lua compilers and DLL files.

These scripts use advanced obfuscation with the Prometheus obfuscator, making reverse engineering difficult. The malware leverages Lua's flexibility, executing malicious tasks via a command-and-control (C2) server, gathering system data, and establishing persistence through scheduled tasks. It frequently targets users downloading game cheats from platforms like GitHub.

The malware is a precursor to payloads like Redline infostealers, which exfiltrate sensitive data for resale on the dark web. Morphisec combats these threats with its automated moving target defense (AMTD) technology, blocking attacks early without relying on traditional detection methods.

References

[1] S. Özeren, “Pioneer Kitten: Iranian Threat Actors Facilitate Ransomware Attacks Against U.S. Organizations,” Aug. 28, 2024. Available: https://www.picussecurity.com/resource/blog/pioneer-kitten-cisa-alert-aa24-241a. [Accessed: Nov. 26, 2024]

[2] C. Raghuprasad, “Threat actor abuses Gophish to deliver new PowerRAT and DCRAT,” Cisco Talos Blog, Oct. 22, 2024. Available: https://blog.talosintelligence.com/gophish-powerrat-dcrat/. [Accessed: Nov. 26, 2024]

[3] “#StopRansomware: BianLian Ransomware Group,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a. [Accessed: Dec. 19, 2023]

[4] “Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts,” The DFIR Report, Aug. 12, 2024. Available: https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/. [Accessed: Nov. 26, 2024]

[5] C. Talos, “Suspected CoralRaider continues to expand victimology using three information stealers,” Cisco Talos Blog, Apr. 23, 2024. Available: https://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/. [Accessed: Nov. 26, 2024]

[6] “Empire/Invoke-TokenManipulation.ps1 at master · EmpireProject/Empire,” GitHub. Available: https://github.com/EmpireProject/Empire. [Accessed: Dec. 12, 2022]

[7] “GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation Framework,” GitHub. Available: https://github.com/PowerShellMafia/PowerSploit. [Accessed: Dec. 13, 2022]

[8] “GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security,” GitHub. Available: https://github.com/samratashok/nishang. [Accessed: Dec. 13, 2022]

[9] “PoshC2,” Nettitude Labs, Jun. 20, 2016. Available: https://labs.nettitude.com/tools/poshc2/. [Accessed: Dec. 13, 2022]

[10] “GitHub - darkoperator/Posh-SecMod: PowerShell Module with Security cmdlets for security work,” GitHub. Available: https://github.com/darkoperator/Posh-SecMod. [Accessed: Dec. 13, 2022]

[11] C. Talos, “Operation Celestial Force employs mobile and desktop malware to target Indian entities,” Cisco Talos Blog, Jun. 13, 2024. Available: https://blog.talosintelligence.com/cosmic-leopard/. [Accessed: Nov. 26, 2024]

[12] “AppleScript,” Red Canary, Mar. 11, 2024. Available: https://redcanary.com/threat-detection-report/techniques/applescript/. [Accessed: Nov. 26, 2024]

[13] J. Chen, “New PXA Stealer targets government and education sectors for sensitive information,” Cisco Talos Blog, Nov. 14, 2024. Available: https://blog.talosintelligence.com/new-pxa-stealer/. [Accessed: Nov. 26, 2024]

[14] “Website.” Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

[15] E. Biasiotto, “Unwrapping the emerging Interlock ransomware attack,” Cisco Talos Blog, Nov. 07, 2024. Available: https://blog.talosintelligence.com/emerging-interlock-ransomware/. [Accessed: Nov. 27, 2024]

[16] D. Korzhevin, “UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants,” Cisco Talos Blog, Oct. 17, 2024. Available: https://blog.talosintelligence.com/uat-5647-romcom/. [Accessed: Nov. 27, 2024]

[17] J. Rittle, “OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges,” Cisco Talos Blog, Jan. 31, 2024. Available: https://blog.talosintelligence.com/oas-engine-deep-dive/. [Accessed: Nov. 27, 2024]

[18] “Website.” Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a

[19] “Website.” Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

[20] “CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks,” Trend Micro, Jul. 15, 2024. Available: https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html. [Accessed: Nov. 27, 2024]

[21] C. Raghuprasad, “CoralRaider targets victims’ data and social media accounts,” Cisco Talos Blog, Apr. 04, 2024. Available: https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/. [Accessed: Nov. 27, 2024]

[22] “CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day,” Trend Micro, Feb. 13, 2024. Available: https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html. [Accessed: Nov. 27, 2024]

[23] “Website.” Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a

[24] C. Talos, “New banking trojan ‘CarnavalHeist’ targets Brazil with overlay attacks,” Cisco Talos Blog, May 31, 2024. Available: https://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/. [Accessed: Nov. 27, 2024]

[25] E. Brumaghin, “Threat Spotlight: WarmCookie/BadSpace,” Cisco Talos Blog, Oct. 23, 2024. Available: https://blog.talosintelligence.com/warmcookie-analysis/. [Accessed: Nov. 27, 2024]

[26] “Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign Targets Brazil With Astaroth Malware,” Trend Micro, Oct. 14, 2024. Available: https://www.trendmicro.com/en_in/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html. [Accessed: Nov. 27, 2024]

[27] M. Callahan, “API Breaches Continue,” Oct. 15, 2024. Available: https://salt.security/blog/its-2024-and-the-api-breaches-keep-coming. [Accessed: Nov. 27, 2024]

[28] “Defending Against Cyber Threats Leveraging Microsoft Graph API,” Default. Available: https://www.csa.gov.sg/alerts-advisories/Advisories/2024/ad-2024-010. [Accessed: Nov. 27, 2024]

[29] C. Talos, “DarkGate switches up its tactics with new payload, email templates,” Cisco Talos Blog, Jun. 05, 2024. Available: https://blog.talosintelligence.com/darkgate-remote-template-injection/. [Accessed: Nov. 27, 2024]

[30] “CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign,” Trend Micro, Mar. 13, 2024. Available: https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html. [Accessed: Nov. 27, 2024]