T1059 - Command and Scripting Interpreter

Description from ATT&CK

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005). Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)

Atomic Tests


Atomic Test #1 - AutoIt Script Execution

An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.

Supported Platforms: Windows

auto_generated_guid: a9b93f17-31cb-435d-a462-5e838a2a6026

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | script_path | AutoIt Script Path | path | PathToAtomicsFolder\T1059\src\calc.au3| | autoit_path | AutoIt Executable File Path | path | C:\Program Files (x86)\AutoIt3\AutoIt3.exe|

Attack Commands: Run with
1
powershell
!

1
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"

Dependencies: Run with
1
powershell
!

Description: AutoIt executable file must exist on disk at the specified location (#{autoit_path})
Check Prereq Commands:
1
2
3
4
5
if(Test-Path "#{autoit_path}") {
    exit 0
} else {
    exit 1
}
Get Prereq Commands:
1
2
3
4
5
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
$AutoItURL = "https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe"
$InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads\autoit-v3-setup.exe"
Invoke-WebRequest -Uri $AutoItURL -OutFile $InstallerPath
Start-Process -FilePath $InstallerPath -ArgumentList "/S" -Wait