MITRE ATT&CK T1059 Command Line Interface

A Command-Line Interface (CLI) offers a way of interacting with local or remote computer systems. Our research has found that Command-Line Interface was the fifth most prevalent ATT&CK technique used by adversaries in their malware. As an execution technique, adversaries use one or more CLI to run their code, interact with local and remote systems, and execute other software during an attack campaign.


Operating systems (OS) provide one or more built-in Command Line Interfaces (CLIs) to users. Not only legitimate users but adversaries also frequently use built-in OS CLIs to run their commands since it is easy to detect a third-party program that executes commands.

As an Execution technique, CLI is critical to run adversary-controlled code on a local or remote system. Execution techniques are typically combined with techniques from all other tactics to accomplish specific aims, such as lateral movement and data exfiltration. 

In this article, we review:

  • the fundamentals of the Command-Line Interface technique

  • updates on the technique in the new version of the ATT&CK framework

  • sub-techniques of the new version of the Command-Line Interface technique

  • its use cases by threat actors and malware

  • Red team exercises for this technique

Changes in the New Version of the MITRE ATT&CK Framework

The July 2020