Esc
Command and Scripting Interpreter - T1059
(ATT&CK® Technique)
Definition
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1059["Command and Scripting Interpreter"] --> |executes| ExecutableScript["Executable Script"]; class T1059 OffensiveTechniqueNode;
class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";
click T1059 href "/offensive-technique/attack/T1059/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableScript["Executable Script"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1059["Command and Scripting Interpreter"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1059["Command and Scripting Interpreter"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableScript["Executable Script"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1059["Command and Scripting Interpreter"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1059["Command and Scripting Interpreter"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableScript["Executable Script"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1059["Command and Scripting Interpreter"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableScript["Executable Script"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1059["Command and Scripting Interpreter"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | ExecutableScript["Executable Script"];
RestoreFile["Restore File"] -.->
| may-restore | T1059["Command and Scripting Interpreter"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableScript["Executable Script"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1059["Command and Scripting Interpreter"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1059["Command and Scripting Interpreter"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableScript["Executable Script"];
FileEncryption["File Encryption"] -.->
| may-harden | T1059["Command and Scripting Interpreter"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableScript["Executable Script"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1059["Command and Scripting Interpreter"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; FileEviction["File Eviction"] -->
| deletes | ExecutableScript["Executable Script"];
FileEviction["File Eviction"] -.->
| may-evict | T1059["Command and Scripting Interpreter"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction";