| ID | E1059 |
| Objective(s) | Execution |
| Related ATT&CK Techniques | Command and Scripting Interpreter (T1059, T1623) |
| Version | 2.0 |
| Created | 2 August 2022 |
| Last Modified | 13 September 2023 |
Malware may abuse command and script interpreters to execute commands, scripts, or binaries.
See ATT&CK: Command and Scripting Interpreter (T1059, T1623).
| Name | Date | Method | Description |
|---|---|---|---|
| Poison Ivy | 2005 | -- | After the Poison Ivy server is running on the target machine, the attacker can use a Windows GUI client to control the target computer. [1] |
| WebCobra | 2018 | -- | From the command line, the malware drops and unzips a password-protected Cabinet archive file. [1] |
| GoBotKR | 2019 | -- | GoBotKR uses cmd.exe to execute commands. [2] |
| Kovter | 2016 | -- | The malware executes malicious javascript and powershell. [3] |
| SamSam | 2015 | -- | SamSam uses a batch file for executing the malware and deleting certain components. [4] |
| Shamoon | 2012 | -- | The wiper component of Shamoon creates a service to run the driver with the command: sc create hdv_725x type= kernel start= demand binpath= WINDOWS\hdv_725x.sys 2>&1 >nul and sends an additional reboot command after completion. Shamoon also accepts command line arguments.[5] |
| Stuxnet | 2010 | -- | Stuxnet will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell. [6] |
| EvilBunny | 2011 | -- | EvilBunny executes Lua scripts. [7] |
| Netwalker | 2020 | -- | Netwalker is written and executed in Powershell. [8] |
| CryptoLocker | 2013 | -- | The malware accepts command line arguments. [9] |
| Dark Comet | 2008 | -- | The malware accepts command line arguments. [9] |
| Gamut | 2014 | -- | Gamut accepts command line arguments. [9] |
| Hupigon | 2013 | -- | Hupigon accepts command line arguments. [9] |
| Mebromi | 2011 | -- | Mebromi accepts command line arguments. [9] |
| Redhip | 2011 | -- | Redhip accepts command line arguments. [9] |
| Rombertik | 2015 | -- | The malware accepts command line arguments. [9] |
| SearchAwesome | 2018 | -- | The malware installs a script to inject a JavaScript script and modify web traffic. [10] |
| TrickBot | 2016 | -- | TrickBot accepts command line arguments. [9] |
| UP007 | 2016 | -- | The malware accepts command line arguments. [9] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| accept command line arguments | Command and Scripting Interpreter (E1059) | GetCommandLine, CommandLineToArgv, System.Environment::GetCommandLineArgs |
| run PowerShell expression | Command and Scripting Interpreter (E1059) | System.Management.Automation.PowerShell::Create, System.Management.Automation.PowerShell::AddScript, System.Management.Automation.PowerShell::Invoke |
[1] https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy
[2] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[3] https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan
[4] https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf
[5] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/
[6] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[7] https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/
[8] https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html
[9] capa v4.0, analyzed at MITRE on 10/12/2022
[10] https://www.malwarebytes.com/blog/news/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection
[11] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[12] https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
[13] https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy