Command-Line Interface

Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java’s Runtime package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken.

If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.

ID: T1605
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Execution
Platforms: Android, iOS
Version: 1.0
Created: 16 December 2020
Last Modified: 17 December 2020

Procedure Examples

ID Name Description
S0655 BusyGasper

BusyGasper can run shell commands.[1]

S0555 CHEMISTGAMES

CHEMISTGAMES can run bash commands.[2]

S0550 DoubleAgent

DoubleAgent can run arbitrary shell commands.[3]

S0544 HenBox

HenBox can run commands as root.[4]

S0558 Tiktok Pro

Tiktok Pro can execute commands .[5]

Mitigations

ID Mitigation Description
M1005 Application Vetting

Application vetting services could detect invocations of methods that could be used to execute shell commands.

M1002 Attestation

Device attestation can often detect jailbroken or rooted devices.

M1010 Deploy Compromised Device Detection Method

Mobile security products can often detect jailbroken or rooted devices.

Detection

Command-Line Interface execution can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References