In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that Command Line Interface was the fifth most prevalent ATT&CK technique used by adversaries in their malware.
A Command-Line Interface
(CLI
) offers a way of interacting with local or remote computer systems. Our research has found that Command-Line Interface was the fifth most prevalent ATT&CK technique used by adversaries in their malware. As an execution technique, adversaries use one or more CLI to run their code, interact with local and remote systems, and execute other software during an attack campaign.
Introduction
Operating systems (OS
) provide one or more built-in Command Line Interfaces
(CLIs
) to users. Not only legitimate users but adversaries also frequently use built-in OS CLIs to run their commands since it is easy to detect a third-party program that executes commands.
As an Execution
technique, CLI is critical to run adversary-controlled code on a local or remote system. Execution techniques are typically combined with techniques from all other tactics to accomplish specific aims, such as lateral movement and data exfiltration.
In this article, we review:
- the fundamentals of the Command-Line Interface technique
- updates on the technique in the new version of the ATT&CK framework
- sub-techniques of the new version of the Command-Line Interface technique
- its use cases by threat actors and malware
- Red team exercises for this technique
Changes in the New Version of the MITRE ATT&CK Framework
The July 2020 (v7) ATT&CK release is the first non-beta release of Enterprise ATT&CK represented with sub-techniques
[1]. MITRE ATT&CK Sub-techniques are a way to describe a specific implementation of a technique in more detail.
In the new sub-technique version of the MITRE ATT&CK Framework, the name of the Command-Line Interface
technique is changed as Command and Scripting Interpreter
, and seven sub-techniques are added under this technique:
T1086 PowerShell
andT1155 AppleScript
were existing techniques in the previous version and became sub-techniques in the new version,T1059.001 PowerShell
andT1059.002 AppleScript
respectively.T1059.003 Windows Command Shell
was included in theT1059 Command-Line Interface
technique in the previous version and became a sub-technique in the new version.- The T1064 Scripting technique in the previous version deprecated and split into separate
T1059.004 Unix Shell
,T1059.005 Visual Basic
,T1059.006 Python
, andT1059.007 JavaScript/Jscript
sub-techniques ofT1059 Command and Scripting Interpreter
.
Command and Scripting Interpreter Sub-techniques
In this blog post, the first three sub-techniques will be explained. Since Scripting was the sixth most prevalent ATT&CK technique according to our 10 Critical ATT&CK Technique research, we will describe the remaining four sub-techniques in our Scripting
blog post.
- T1059.001 PowerShell
PowerShell is a powerful interactive command-line shell and scripting language installed by default on Windows operating systems. Since PowerShell has extensive access to Windows internals, system administrators frequently use it to manage and configure the operating system, and automate complex tasks. Not only system administrators but also adversaries have realized the potential in incorporating this powerful tool into their arsenal.
Before being a sub-technique of the Command and Scripting Interpreter technique, PowerShell was a stand-alone technique. It appeared as the second most frequently used MITRE ATT&CK technique in our Ten Critical ATT&CK techniques search. Click here to read our detailed blog post on the PowerShell technique.
- T1059.002 AppleScript
Macro malware developers use AppleScript to run their malicious code on Mac systems. For example, the macro code in a macro malware verifies whether WScript.Shell - the Windows Script Shell - is present [3]. IfAppleScript
is a macOS scripting language that allows users to directly control scriptable macOS applications, as well as parts of macOS itself [2]. Scripts - sets of written instructions - can be created to automate repetitive tasks, integrate features from multiple scriptable applications, and build complex workflows. A scriptable application is an application that can be controlled by a script. ForAppleScript
, scriptable applications are responsive to inter-application messages, called Apple events. An Apple event can be sent from a script, an application, and macOS.WScript
is not detected, the code executes theMacScript
function of theVBA
. This function executes an AppleScript script that creates a reverse shell viaPython
. As another use case of theAppleScript
sub-technique,OSX/Dok
trojan utilizes AppleScript to create a Login Item [4]. macOS malware uses Login Items for persistence since they can execute applications when the users log on. Moreover, AppleScript is also utilized by the WebTools component of theBundlore
adware to inject malicious JavaScript code into the browser [5].
Adversaries frequently utilize the Windows command shell (also known as cmd.exe
), command line
, or simply cmd
) for execution. Actually, it is an application built into the Windows OS that accepts commands and executes them. Although not as powerful as PowerShell, you can control almost any aspect of a system with the Windows Command Shell. PowerShell has been developed to enhance the abilities of the Command Shell.
The Windows cmd.exe shell can be used to build scripts, and store them in batch files (e.g., .bat
or .cmd
files) to run multiple commands and automate long and repetitive tasks like user account management or nightly backups.
Adversaries commonly use cmd.exe
with the /c
parameter such as cmd.exe /c <command>
. The /c
parameter is used to run the command and then terminate the shell after command completion [6]. Interactive shells may also be created (such as a reverse shell) to run commands and get outputs interactively.
Malware families abuse cmd.exe for different purposes. For example, the WastedLocker
ransomware that has recently caused a worldwide outage of services of wearable device maker Garmin [7] uses cmd.exe
for:
- Execute malicious payloads
- Creating delays for
Virtualization/Sandbox Evasion
(MITRE ATT&CK T1497) viaTime Based Evasion
(MITRE ATT&CK T1497.003) [8] - Deleting service executables for
Indicator Removal on Host
(MITRE ATT&CK T1070) via File Deletion (MITRE ATT&CK T11070.004) [9] - Modify file attributes with the attrib command [10]
Red and Blue Team Exercises
Red Teaming - How to simulate?
Briefly, the following cmd.exe
one-liner gets system information using an obfuscated command.
C:\Users\who>cmd.exe /c ,p"o"wer^s^hell"."ex^e G"e"t"-"Wm^i"O"bje"c"t -Cl"a"s^s win32_ComputerSystem |
|
Let’s split and analyze the command:
cmd.exe /c
: As mentioned above, the/c
parameter is used to run the command and then terminate the shell after command completion (MITRE ATT&CK T1059.003 Windows Command Shell) [6].- Inserted character for obfuscation (T1406 Obfuscated Files or Information):
Comma
: The comma (,) character can serve as delimiters and can be used instead of thewhitespace
character in cmd.exe commands. This feature is used by attacks to obfuscate commands.Carets
: The caret (^) is the escape character ofcmd.exe
and one of the most commonly used characters for obfuscation ofcmd.exe
commands to evade rigid detection signatures.Double quotes
: In this command, double quotes (“) are used to wrap characters, which is equivalent to connecting these characters with others.
After removing the above obfuscation characters, we have the following de-obfuscated command:
C:\Users\who>cmd.exe /c powershell.exe Get-WmiObject -Class win32_ComputerSystem |
powershell.exe
: cmd.exe will run aPowerShell
command. (MITRE ATT&CK T1059.001 PowerShell)Get-WmiObject
: The PowerShell command usesGet-WmiObject
cmdlet that gets information about the available WMI classes (MITRE ATT&CK T1047 Windows Management Instrumentation).Win32_ComputerSystem
: This WMI class discovers system information (MITRE ATT&CK T1082 System Information Discovery).
In conclusion, this command incorporates five different ATT&CK techniques.
Blue Teaming - How to detect?
Following Sigma rule can be used to detect gathering system information using Get-WmiObject cmdlet of PowerShell:
title: |
References
[1] “Updates - July 2020.” [Online]. Available: https://attack.mitre.org/resources/updates/updates-july-2020/. [Accessed: 10-Aug-2020] [2] “Introduction to AppleScript Language Guide,” 25-Jan-2016. [Online]. Available: https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html. [Accessed: 09-Aug-2020] [3] Y. Grbic, “Macro Malware Targets Macs,” 14-Feb-2017. [Online]. Available: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/. [Accessed: 09-Aug-2020] [4] “Mac Malware of 2017.” [Online]. Available: https://objective-see.com/blog/blog_0x25.html#Dok. [Accessed: 09-Aug-2020] [5] O. Sushko, “macOS Bundlore: Mac Virus Bypassing macOS Security Features,” 17-Apr-2019. [Online]. Available: https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis. [Accessed: 09-Aug-2020] |
[6] “CMD.exe.” [Online]. Available: https://ss64.com/nt/cmd.html. [Accessed: 10-Aug-2020] [7] S. Gatlan, “Garmin outage caused by confirmed WastedLocker ransomware attack,” BleepingComputer, 24-Jul-2020. [Online]. Available: https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/. [Accessed: 10-Aug-2020] [8] “Virtualization/Sandbox Evasion: Time Based Evasion.” [Online]. Available: https://attack.mitre.org/techniques/T1497/003/. [Accessed: 10-Aug-2020] [9] “Virtualization/Sandbox Evasion: Time Based Evasion.” [Online]. Available: https://attack.mitre.org/techniques/T1497/003/. [Accessed: 10-Aug-2020] [10] coreyp-at-msft, “attrib.” [Online]. Available: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib. [Accessed: 10-Aug-2020] [11] Neo23x, “Neo23x0/sigma,” GitHub. [Online]. Available: https://github.com/Neo23x0/sigma. [Accessed: 12-Jul-2020] |