Command

A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task^[1]^[2]

ID: DS0017

ⓘ

Platforms: Containers, Linux, Network, Windows, macOS

ⓘ

Collection Layers: Container, Host

Contributors: Austin Clark; Center for Threat-Informed Defense (CTID)

Version: 1.0

Created: 20 October 2021

Last Modified: 10 November 2021

Data Components

Command: Command Execution

Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)

Command: Command Execution

Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)

Domain	ID		Name
Enterprise	T1548		Abuse Elevation Control Mechanism
		.001	Setuid and Setgid
		.002	Bypass User Account Control
		.003	Sudo and Sudo Caching
Enterprise	T1134		Access Token Manipulation
		.001	Token Impersonation/Theft
		.002	Create Process with Token
		.003	Make and Impersonate Token
Enterprise	T1087		Account Discovery
		.001	Local Account
		.002	Domain Account
		.003	Email Account
		.004	Cloud Account
Enterprise	T1098		Account Manipulation
		.004	SSH Authorized Keys
Enterprise	T1010		Application Window Discovery
Enterprise	T1560		Archive Collected Data
		.001	Archive via Utility
Enterprise	T1123		Audio Capture
Enterprise	T1119		Automated Collection
Enterprise	T1020		Automated Exfiltration
Enterprise	T1197		BITS Jobs
Enterprise	T1547		Boot or Logon Autostart Execution
		.001	Registry Run Keys / Startup Folder
		.002	Authentication Package
		.003	Time Providers
		.004	Winlogon Helper DLL
		.005	Security Support Provider
		.006	Kernel Modules and Extensions
		.007	Re-opened Applications
		.011	Plist Modification
		.013	XDG Autostart Entries
		.014	Active Setup
Enterprise	T1037		Boot or Logon Initialization Scripts
		.001	Logon Script (Windows)
		.002	Logon Script (Mac)
		.003	Network Logon Script
		.004	RC Scripts
		.005	Startup Items
Enterprise	T1217		Browser Bookmark Discovery
Enterprise	T1176		Browser Extensions
Enterprise	T1110		Brute Force
Enterprise	T1115		Clipboard Data
Enterprise	T1059		Command and Scripting Interpreter
		.001	PowerShell
		.002	AppleScript
		.003	Windows Command Shell
		.004	Unix Shell
		.005	Visual Basic
		.006	Python
		.007	JavaScript
		.008	Network Device CLI
Enterprise	T1609		Container Administration Command
Enterprise	T1136		Create Account
		.001	Local Account
		.002	Domain Account
Enterprise	T1543		Create or Modify System Process
		.001	Launch Agent
		.002	Systemd Service
		.003	Windows Service
		.004	Launch Daemon
Enterprise	T1555		Credentials from Password Stores
		.001	Keychain
		.002	Securityd Memory
		.003	Credentials from Web Browsers
		.004	Windows Credential Manager
		.005	Password Managers
Enterprise	T1485		Data Destruction
Enterprise	T1486		Data Encrypted for Impact
Enterprise	T1005		Data from Local System
Enterprise	T1039		Data from Network Shared Drive
Enterprise	T1025		Data from Removable Media
Enterprise	T1074		Data Staged
		.001	Local Data Staging
		.002	Remote Data Staging
Enterprise	T1006		Direct Volume Access
Enterprise	T1561		Disk Wipe
		.001	Disk Content Wipe
		.002	Disk Structure Wipe
Enterprise	T1484		Domain Policy Modification
		.001	Group Policy Modification
		.002	Domain Trust Modification
Enterprise	T1482		Domain Trust Discovery
Enterprise	T1114		Email Collection
		.001	Local Email Collection
		.002	Remote Email Collection
Enterprise	T1546		Event Triggered Execution
		.001	Change Default File Association
		.002	Screensaver
		.003	Windows Management Instrumentation Event Subscription
		.004	Unix Shell Configuration Modification
		.005	Trap
		.006	LC_LOAD_DYLIB Addition
		.007	Netsh Helper DLL
		.008	Accessibility Features
		.009	AppCert DLLs
		.010	AppInit DLLs
		.011	Application Shimming
		.012	Image File Execution Options Injection
		.013	PowerShell Profile
		.014	Emond
		.015	Component Object Model Hijacking
Enterprise	T1480		Execution Guardrails
		.001	Environmental Keying
Enterprise	T1048		Exfiltration Over Alternative Protocol
		.001	Exfiltration Over Symmetric Encrypted Non-C2 Protocol
		.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
		.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Enterprise	T1041		Exfiltration Over C2 Channel
Enterprise	T1011		Exfiltration Over Other Network Medium
		.001	Exfiltration Over Bluetooth
Enterprise	T1052		Exfiltration Over Physical Medium
		.001	Exfiltration over USB
Enterprise	T1567		Exfiltration Over Web Service
		.001	Exfiltration to Code Repository
		.002	Exfiltration to Cloud Storage
Enterprise	T1083		File and Directory Discovery
Enterprise	T1222		File and Directory Permissions Modification
		.001	Windows File and Directory Permissions Modification
		.002	Linux and Mac File and Directory Permissions Modification
Enterprise	T1615		Group Policy Discovery
Enterprise	T1564		Hide Artifacts
		.001	Hidden Files and Directories
		.002	Hidden Users
		.003	Hidden Window
		.004	NTFS File Attributes
		.006	Run Virtual Instance
		.008	Email Hiding Rules
		.009	Resource Forking
Enterprise	T1574		Hijack Execution Flow
		.006	Dynamic Linker Hijacking
		.011	Services Registry Permissions Weakness
		.012	COR_PROFILER
Enterprise	T1562		Impair Defenses
		.001	Disable or Modify Tools
		.002	Disable Windows Event Logging
		.003	Impair Command History Logging
		.004	Disable or Modify System Firewall
		.006	Indicator Blocking
		.009	Safe Mode Boot
		.010	Downgrade Attack
Enterprise	T1070		Indicator Removal on Host
		.001	Clear Windows Event Logs
		.002	Clear Linux or Mac System Logs
		.003	Clear Command History
		.004	File Deletion
		.005	Network Share Connection Removal
Enterprise	T1202		Indirect Command Execution
Enterprise	T1490		Inhibit System Recovery
Enterprise	T1056	.002	Input Capture: GUI Input Capture
Enterprise	T1570		Lateral Tool Transfer
Enterprise	T1036		Masquerading
		.003	Rename System Utilities
		.004	Masquerade Task or Service
Enterprise	T1112		Modify Registry
Enterprise	T1046		Network Service Scanning
Enterprise	T1135		Network Share Discovery
Enterprise	T1040		Network Sniffing
Enterprise	T1027		Obfuscated Files or Information
		.004	Compile After Delivery
Enterprise	T1137		Office Application Startup
		.001	Office Template Macros
		.002	Office Test
		.003	Outlook Forms
		.004	Outlook Home Page
		.005	Outlook Rules
		.006	Add-ins
Enterprise	T1003		OS Credential Dumping
		.001	LSASS Memory
		.002	Security Account Manager
		.003	NTDS
		.004	LSA Secrets
		.005	Cached Domain Credentials
		.007	Proc Filesystem
		.008	/etc/passwd and /etc/shadow
Enterprise	T1201		Password Policy Discovery
Enterprise	T1120		Peripheral Device Discovery
Enterprise	T1069		Permission Groups Discovery
		.001	Local Groups
		.002	Domain Groups
		.003	Cloud Groups
Enterprise	T1542		Pre-OS Boot
		.005	TFTP Boot
Enterprise	T1057		Process Discovery
Enterprise	T1012		Query Registry
Enterprise	T1563		Remote Service Session Hijacking
		.001	SSH Hijacking
		.002	RDP Hijacking
Enterprise	T1021		Remote Services
		.002	SMB/Windows Admin Shares
		.006	Windows Remote Management
Enterprise	T1018		Remote System Discovery
Enterprise	T1496		Resource Hijacking
Enterprise	T1053		Scheduled Task/Job
		.001	At (Linux)
		.002	At (Windows)
		.003	Cron
		.005	Scheduled Task
		.006	Systemd Timers
Enterprise	T1113		Screen Capture
Enterprise	T1505	.004	Server Software Component: IIS Components
Enterprise	T1489		Service Stop
Enterprise	T1218		Signed Binary Proxy Execution
		.001	Compiled HTML File
		.002	Control Panel
		.003	CMSTP
		.004	InstallUtil
		.005	Mshta
		.007	Msiexec
		.008	Odbcconf
		.009	Regsvcs/Regasm
		.010	Regsvr32
		.011	Rundll32
		.012	Verclsid
		.013	Mavinject
		.014	MMC
Enterprise	T1216		Signed Script Proxy Execution
		.001	PubPrn
Enterprise	T1518		Software Discovery
		.001	Security Software Discovery
Enterprise	T1558		Steal or Forge Kerberos Tickets
Enterprise	T1553		Subvert Trust Controls
		.001	Gatekeeper Bypass
		.004	Install Root Certificate
		.006	Code Signing Policy Modification
Enterprise	T1082		System Information Discovery
Enterprise	T1614		System Location Discovery
		.001	System Language Discovery
Enterprise	T1016		System Network Configuration Discovery
		.001	Internet Connection Discovery
Enterprise	T1049		System Network Connections Discovery
Enterprise	T1033		System Owner/User Discovery
Enterprise	T1007		System Service Discovery
Enterprise	T1569		System Services
		.001	Launchctl
		.002	Service Execution
Enterprise	T1529		System Shutdown/Reboot
Enterprise	T1124		System Time Discovery
Enterprise	T1127		Trusted Developer Utilities Proxy Execution
		.001	MSBuild
Enterprise	T1552		Unsecured Credentials
		.001	Credentials In Files
		.002	Credentials in Registry
		.003	Bash History
		.004	Private Keys
		.006	Group Policy Preferences
		.007	Container API
Enterprise	T1204		User Execution
		.003	Malicious Image
Enterprise	T1125		Video Capture
Enterprise	T1497		Virtualization/Sandbox Evasion
		.001	System Checks
		.002	User Activity Based Checks
		.003	Time Based Evasion
Enterprise	T1047		Windows Management Instrumentation

References

Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.

Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.