ID	E1059
Objective(s)	Execution
Related ATT&CK Techniques	Command and Scripting Interpreter (T1059, T1623)
Version	2.0
Created	2 August 2022
Last Modified	21 November 2022

Command and Scripting Interpreter

Malware may abuse command and script interpreters to execute commands, scripts, or binaries.

See ATT&CK: Command and Scripting Interpreter (T1059, T1623).

Use in Malware

Name	Date	Method	Description
Poison-Ivy	2005	--	After the Poison-Ivy server is running on the target machine, the attacker can use a Windows GUI client to control the target computer. [1]
WebCobra	2018	--	From the command line, drops and unzips a password-protected Cabinet archive file. [1]
GotBotKR	2019	--	GoBotKR uses cmd.exe to execute commands. [2]
Kovter	2016	--	The malware executes malicious javascript and powershell [3]
SamSam	2015	--	SamSam uses a batch file for executing the malware and deleting certain components [4]
Shamoon	2012	--	The wiper component of Shamoon creates a service to run the driver with the command: sc create hdv_725x type= kernel start= demand binpath= WINDOWS\hdv_725x.sys 2>&1 >nul and sends an additional reboot command after completion [5]
Stuxnet	2010	--	Stuxnet will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell [6]
EvilBunny	2011	--	EvilBunny executes Lua scripts [7]
Netwalker	2020	--	Netwalker is written and executed in Powershell [8]