A Command-Line Interface (CLI) offers a way of interacting with local or remote computer systems. Our research has found that Command-Line Interface was the fifth most prevalent ATT&CK technique used by adversaries in their malware. As an execution technique, adversaries use one or more CLI to run their code, interact with local and remote systems, and execute other software during an attack campaign.
Operating systems (OS) provide one or more built-in Command Line Interfaces (CLIs) to users. Not only legitimate users but adversaries also frequently use built-in OS CLIs to run their commands since it is easy to detect a third-party program that executes commands.
As an Execution technique, CLI is critical to run adversary-controlled code on a local or remote system. Execution techniques are typically combined with techniques from all other tactics to accomplish specific aims, such as lateral movement and data exfiltration.
In this article, we review:
the fundamentals of the Command-Line Interface technique
updates on the technique in the new version of the ATT&CK framework
sub-techniques of the new version of the Command-Line Interface technique
its use cases by threat actors and malware
Red team exercises for this technique
Changes in the New Version of the MITRE ATT&CK Framework
The July 2020 (v7) ATT&CK release is the first non-beta release of Enterprise ATT&CK represented with sub-techniques . MITRE ATT&CK Sub-techniques are a way to describe a specific implementation of a technique in more detail.
In the new sub-technique version of the MITRE ATT&CK Framework, the name of the Command-Line Interface technique is changed as Command and Scripting Interpreter, and seven sub-techniques are added under this technique:
T1086 PowerShell and T1155 AppleScript were existing techniques in the previous version and became sub-techniques in the new version, T1059.001 PowerShell and T1059.002 AppleScript respectively.
T1059.003 Windows Command Shell was included in the T1059 Command-Line Interface technique in the previous version and became a sub-technique in the new version.
Command and Scripting Interpreter Sub-techniques
In this blog post, the first three sub-techniques will be explained. Since Scripting was the sixth most prevalent ATT&CK technique according to our 10 Critical ATT&CK Technique research, we will describe the remaining four sub-techniques in our Scripting blog post.
T1059.001 PowerShell PowerShell is a powerful interactive command-line shell and scripting language installed by default on Windows operating systems. Since PowerShell has extensive access to Windows internals, system administrators frequently use it to manage and configure the operating system, and automate complex tasks. Not only system administrators but also adversaries have realized the potential in incorporating this powerful tool into their arsenal. Before being a sub-technique of the Command and Scripting Interpreter technique, PowerShell was a stand-alone technique. It appeared as the second most frequently used MITRE ATT&CK technique in our Ten Critical ATT&CK techniques search. Click here to read our detailed blog post on the PowerShell technique.
T1059.003 Windows Command Shell
Adversaries frequently utilize the Windows command shell (also known as cmd.exe), command line, or simply cmd) for execution. Actually, it is an application built into the Windows OS that accepts commands and executes them. Although not as powerful as PowerShell, you can control almost any aspect of a system with the Windows Command Shell. PowerShell has been developed to enhance the abilities of the Command Shell.
The Windows cmd.exe shell can be used to build scripts, and store them in batch files (e.g., .bat or .cmd files) to run multiple commands and automate long and repetitive tasks like user account management or nightly backups.
Adversaries commonly use cmd.exe with the /c parameter such as cmd.exe /c <command>. The /c parameter is used to run the command and then terminate the shell after command completion . Interactive shells may also be created (such as a reverse shell) to run commands and get outputs interactively.
Malware families abuse cmd.exe for different purposes. For example, the WastedLocker ransomware that has recently caused a worldwide outage of services of wearable device maker Garmin uses cmd.exe for:
Execute malicious payloads
Creating delays for Virtualization/Sandbox Evasion (MITRE ATT&CK T1497) via Time Based Evasion (MITRE ATT&CK T1497.003)
Deleting service executables for Indicator Removal on Host (MITRE ATT&CK T1070) via File Deletion (MITRE ATT&CK T11070.004)
Modify file attributes with the attrib command
Red and Blue Team Exercises
Red Teaming - How to simulate?
Briefly, the following cmd.exe one-liner gets system information using an obfuscated command.
C:\Users\who>cmd.exe /c ,p"o"wer^s^hell"."ex^e G"e"t"-"Wm^i"O"bje"c"t -Cl"a"s^s win32_ComputerSystem Domain : WORKGROUP Manufacturer : VMware, Inc. Model : VMware7,1 Name : BLUEFISH PrimaryOwnerName : localadmin TotalPhysicalMemory : 2146414592
Let’s split and analyze the command:
cmd.exe /c: As mentioned above, the /c parameter is used to run the command and then terminate the shell after command completion (MITRE ATT&CK T1059.003 Windows Command Shell) .
Inserted character for obfuscation (T1406 Obfuscated Files or Information):
Comma: The comma (,) character can serve as delimiters and can be used instead of the whitespace character in cmd.exe commands. This feature is used by attacks to obfuscate commands.
Carets: The caret (^) is the escape character of cmd.exe and one of the most commonly used characters for obfuscation of cmd.exe commands to evade rigid detection signatures.
Double quotes: In this command, double quotes (“) are used to wrap characters, which is equivalent to connecting these characters with others.
After removing the above obfuscation characters, we have the following de-obfuscated command:
C:\Users\who>cmd.exe /c powershell.exe Get-WmiObject -Class win32_ComputerSystem
powershell.exe: cmd.exe will run a PowerShell command. (MITRE ATT&CK T1059.001 PowerShell)
Get-WmiObject: The PowerShell command uses Get-WmiObject cmdlet that gets information about the available WMI classes (MITRE ATT&CK T1047 Windows Management Instrumentation).
Win32_ComputerSystem: This WMI class discovers system information (MITRE ATT&CK T1082 System Information Discovery).
In conclusion, this command incorporates five different ATT&CK techniques.
Blue Teaming - How to detect?
Following Sigma rule can be used to detect gathering system information using Get-WmiObject cmdlet of PowerShell:
title: SystemInformationDiscoveryviaPowerShellCmdlet status: experimental description: DetectstheattempttogathersysteminformationusingGet-WmiObjectcmdletofPowerShell.Thistechniqueiscommonlyutilizedfordiscovery. author: PicusSecurity references: - https://attack.mitre.org/techniques/T1047/ - https://attack.mitre.org/techniques/T1086/ - https://attack.mitre.org/techniques/T1082/ - https://attack.mitre.org/tactics/TA0002/ - https://attack.mitre.org/tactics/TA0007/ logsource: product: windows service: security definition1: 'Requirements: Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Detailed Tracking\Audit Process Creation' definition2: 'Requirements: Group Policy : Computer Configuration\ Administrative Templates\ System\ Audit Process Creation\ Include Command Line' detection: selection: EventID: 4688 NewProcessName: '*\powershell.exe' ProcessCommandLine: '*wmi* *Win32_ComputerSystem*' condition: selection falsepositives: - Legitimate administrative activities level: medium tags: - attack.execution - attack.discovery - attack.t1047 - attack.t1086 - attack.t1082 - attack.ta0002 - attack.ta0007