A Command-Line Interface (CLI) offers a way of interacting with local or remote computer systems. Our research has found that Command-Line Interface was the fifth most prevalent ATT&CK technique used by adversaries in their malware. As an execution technique, adversaries use one or more CLI to run their code, interact with local and remote systems, and execute other software during an attack campaign.
Operating systems (OS) provide one or more built-in Command Line Interfaces (CLIs) to users. Not only legitimate users but adversaries also frequently use built-in OS CLIs to run their commands since it is easy to detect a third-party program that executes commands.
As an Execution technique, CLI is critical to run adversary-controlled code on a local or remote system. Execution techniques are typically combined with techniques from all other tactics to accomplish specific aims, such as lateral movement and data exfiltration.
In this article, we review:
the fundamentals of the Command-Line Interface technique
updates on the technique in the new version of the ATT&CK framework
sub-techniques of the new version of the Command-Line Interface technique
its use cases by threat actors and malware
Red team exercises for this technique
Changes in the New Version of the MITRE ATT&CK Framework
The July 2020