MITRE ATT&CK: Command-line interface
Introduction
Try to remember the first time you sat at a PC. What was one of the seemingly high-level features about it that impressed you? Chances are that one of these features was the command-line interface. With a simple click, you could glimpse a vestige of DOS where a GUI is nonexistent and sophisticated functions and tasks could run with just one line of command code.
This is because the command-line interface is both useful and powerful, and attackers know this. In fact, command line interface is so commonly used by attackers, MITRE has listed it in its collection of execution attack techniques in its MITRE ATT&CK matrix.
This article will detail the command-line interface, explore the MITRE ATT&CK matrix, tell you about real-world examples and tips about mitigation and detection of this execution-based attack technique.
What is MITRE ATT&CK?
MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.
To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics, based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for the cybersecurity product/service community, the private sector and government use.
More information on the MITRE ATT&CK matrix can be found here.
A little about the command-line interface
It would be easy to jump into a discussion about the use of the command-line interface in attack campaigns, but first you should understand where the command-line interface fits into the big picture of attacks.
The command-line interface is a mainstay of the “execution” category of an attack. This is the phase where attackers execute malicious code during an attack. Execution techniques can be paired with other attack techniques to achieve their broader attacker campaign goals. A classic example of this is using a remote access tool (RAT) to run a malicious script with PowerShell on a compromised system.
The command-line interface is not a new tool or technology and operates in the same way it does on your PC. Simply put, the command-line interface offers a way to interact with a computer system and execute software. This ability to execute software does not discriminate against the user’s intent — it can execute both legitimate and shadowy attacker software alike.
Possibly the most commonly used command-line interface for Windows systems is CMD, which can execute software, among other tasks. Command-line interfaces can be performed on local systems or may be used in conjunction with remote desktop application for remote use.
This attack technique has been used by countless attack groups, and their creativity in applying it in their attacks knows few bounds. The best way to get a picture of just how widespread command-line interface has become is to examine real-world examples of its presence in attack campaigns and as a feature of attack tools.
Real-world uses of the command line interface
httpclient
This malware is a simple attack tool created by the Putter Panda attack group. Among the capabilities of this supplementary tool is a functionality that allows the attacker to open cmd.exe on the compromised system.
MURKYTOP
This command-line reconnaissance tool is made and used by cyberespionage group Leviathan, also known as TEMP.Periscope. MURKYTOP is a good example of the breadth of capabilities that the command-line interface can provide. This tool can delete and move files, execute files as another user, scan for open ports on a connected network and perform host discovery, among many other capabilities.
PoisonIvy
PoisonIvy is a popular remote access tool (RAT) that has been in use since at least 2005. It operates by creating a backdoor on a compromised system that allows the actor access to cmd.exe.
QuasarRAT
This open-source tool is freely available on GitHub and has been around since at least 2017. It is known for allowing actors to launch a remote shell on targeted systems, allowing them to execute commands.
Kazuar
Kazuar is a multi-platform, fully featured backdoor Trojan that afflicts both Windows and macOS systems. This Trojan uses cmd.exe and /bin/bash to execute remote commands on victim systems.
Mitigation
According to MITRE, the recommended course of mitigation is to block or audit unnecessary command-line interpreters. This can be performed with application whitelisting tools including AppLocker and Windows Defender Application Control, or with appropriate software restriction policies (such as Group Policy).
Detection
Detection of the command-line interface attack technique is luckily straightforward to detect. To detect whether this technique is being used, check the target systems logs for process execution involving command-line arguments. Analyzing the behavior of attackers by using the command-line interface can shed some light into further actions on the compromised system, so make sure to perform a thorough audit of all relevant logs.
Conclusion
The command-line interface is at once a powerful and useful tool that makes execution processes and software easy. Attackers know this and have a number of different ways to take advantage of the capability that this interface affords its users.
Through diligent detection, you can catch malicious actors using the command-line interface against your system and may even cut off an attack before happens to you.