MITRE ATT&CK: Command-line interface

Introduction

Try to remember the first time you sat at a PC. What was one of the seemingly high-level features about it that impressed you? Chances are that one of these features was the command-line interface. With a simple click, you could glimpse a vestige of DOS where a GUI is nonexistent and sophisticated functions and tasks could run with just one line of command code. 

This is because the command-line interface is both useful and powerful, and attackers know this. In fact, command line interface is so commonly used by attackers, MITRE has listed it in its collection of execution attack techniques in its MITRE ATT&CK matrix. 

This article will detail the command-line interface, explore the MITRE ATT&CK matrix, tell you about real-world examples and tips about mitigation and detection of this execution-based attack technique.

What is MITRE ATT&CK?

MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.

To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics, based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for the cybersecurity product/service community, the private sector and government use.

More information on the MITRE ATT&CK matrix can be found here.

A little about the command-line interface

It would be easy to jump into a discussion about the use of the command-line interface in attack campaigns, but first you should understand where the command-line interface fits into the big picture of attacks.

The command-line interface is a mainstay of the “execution” category of an attack. This is (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/lCcGUkOXIV8/