| ID | Name |
|---|---|
| T1623.001 | Unix Shell |
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic Unix Shell that can be accessed via the Android Debug Bridge (ADB) or Java’s Runtime package.
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.
| ID | Name | Description |
|---|---|---|
| S1185 | LightSpy |
LightSpy has plugins for executing shell commands either from the C2 server or a library file called |
| S1056 | TianySpy |
| ID | Mitigation | Description |
|---|---|---|
| M1002 | Attestation |
Device attestation can often detect jailbroken or rooted devices. |
| M1010 | Deploy Compromised Device Detection Method |
Mobile security products can typically detect jailbroken or rooted devices. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0655 | Detection of Command and Scripting Interpreter | AN1741 |
The defender correlates app-driven shell or command execution setup with subsequent process creation, command invocation, or script-driven follow-on behavior under the same app context, especially when command execution occurs from background state, without recent user interaction, or immediately after payload retrieval or local staging. The analytic prioritizes Android-observable control-plane effects: Java Runtime or similar command-execution method use, shell or sh-like process creation, command parameter visibility where available, and immediate file or network effects produced by the interpreter. |
| AN1742 |
The defender correlates managed-app runtime behavior indicative of command or shell invocation with subsequent spawned process or shell-like execution effects, then raises confidence when the resulting activity produces local artifacts or network communication outside expected user context. Because direct shell-process visibility can be weaker on iOS in many enterprise deployments, the analytic anchors first on process-creation or lower-level OS API effects where mobile telemetry can observe them, then on lifecycle context and post-execution network or file behavior. Confidence is strongest when the same app shows command invocation followed by process execution and immediate follow-on effects. |