ID | E1059 |
Objective(s) | Execution |
Related ATT&CK Techniques | Command and Scripting Interpreter (T1059, T1623) |
Version | 2.0 |
Created | 2 August 2022 |
Last Modified | 21 November 2022 |
Malware may abuse command and script interpreters to execute commands, scripts, or binaries.
See ATT&CK: Command and Scripting Interpreter (T1059, T1623).
Name | Date | Method | Description |
---|---|---|---|
Poison-Ivy | 2005 | -- | After the Poison-Ivy server is running on the target machine, the attacker can use a Windows GUI client to control the target computer. [1] |
WebCobra | 2018 | -- | From the command line, drops and unzips a password-protected Cabinet archive file. [1] |
GotBotKR | 2019 | -- | GoBotKR uses cmd.exe to execute commands. [2] |
Kovter | 2016 | -- | The malware executes malicious javascript and powershell [3] |
SamSam | 2015 | -- | SamSam uses a batch file for executing the malware and deleting certain components [4] |
Shamoon | 2012 | -- | The wiper component of Shamoon creates a service to run the driver with the command: sc create hdv_725x type= kernel start= demand binpath= WINDOWS\hdv_725x.sys 2>&1 >nul and sends an additional reboot command after completion [5] |
Stuxnet | 2010 | -- | Stuxnet will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell [6] |
EvilBunny | 2011 | -- | EvilBunny executes Lua scripts [7] |
Netwalker | 2020 | -- | Netwalker is written and executed in Powershell [8] |
[1] https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy
[2] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[3] https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan
[4] https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf
[5] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/
[6] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[7] https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/
[8] https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html