T1623.001: Unix Shell
Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken.
Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.
If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.
Analyst context for executives and security teams
Unix Shell abuse on mobile devices matters because it turns Android or iOS command interpreters into a flexible execution path for adversaries. On rooted or jailbroken devices, shell access can become especially material because protected files and privileged commands may become reachable. For leaders, this is less about a single command and more about whether mobile devices that touch enterprise data can be trusted, assessed, and isolated when compromise indicators appear.
Executive priority
Prioritize this as a mobile device trust and access-control issue. The key business question is whether rooted, jailbroken, or otherwise compromised devices can still reach enterprise resources. ATT&CK links this technique to attestation and compromised-device detection, so leadership should ask for evidence that mobile access decisions consider device integrity, not only user identity. Because ATT&CK provides no official detection text or tactic mapping for this object, coverage should be validated locally rather than assumed.
Technical view
For SOC, detection engineering, and IR teams, validate mobile telemetry around shell execution, command/script activity, ADB-related access where applicable, jailbreak/root indicators, superuser binary invocation, and command execution through command-and-control or lateral movement paths such as SSH when present in the environment. Treat this as a sub-technique of Command and Scripting Interpreter for Android and iOS. Relationship context shows multiple Android software entries using this behavior, so Android coverage should be reviewed first where enterprise exposure exists, while iOS should not be excluded because the technique platform includes iOS.
Likely telemetry
- Mobile threat defense alerts for shell, root, jailbreak, or compromised-device indicators
- EMM/MDM device compliance and integrity state
- Remote attestation results where available
- Application behavior telemetry showing command or script execution
- ADB-related activity on Android devices where collected
Detection direction
- Review DET0607, Detection of Unix Shell, as the ATT&CK-linked detection strategy, but do not assume coverage without testing against local mobile telemetry.
- Tune detections to distinguish legitimate administrative, developer, or support activity from unexpected shell use on managed mobile devices.
- Correlate shell activity with root/jailbreak status, failed or missing attestation, suspicious application behavior, and enterprise access events.
- Account for blind spots where mobile threat defense, EMM/MDM, or device logs do not expose process-level command execution.
- Use related software context as threat-intelligence enrichment, especially for Android, without treating those relationships as evidence of current targeting.
Mitigation priorities
- Enable remote attestation when available and restrict enterprise resource access for devices that fail attestation, consistent with M1002.
- Deploy compromised-device detection methods through built-in device mechanisms, mobile security applications, EMM/MDM, or other enterprise controls, consistent with M1010.
- Use access policy to reduce reliance on user authentication alone when device integrity is unknown or failed.
- Prioritize validation of rooted or jailbroken device handling in mobile incident response playbooks.
- Document mobile integrity controls and exceptions as compliance evidence for enterprise device trust decisions.
Analyst notes and limits
This object replaces the revoked mobile technique T1605 Command-Line Interface and is a sub-technique of T1623 Command and Scripting Interpreter. ATT&CK lists Android and iOS platforms, but most supplied software relationships are Android-focused. The Samsung Knox Mobile Threat Defense reference and mitigation text support considering mobile threat defense and attestation capabilities where available.
MITRE provides no official detection text and no tactic mapping for this object in the supplied fields. The assessment cannot determine whether any organization has telemetry, coverage, active exposure, or incidents without local MTD, EMM/MDM, attestation, access, and IR data.
Unix Shell
Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken.
Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.
If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1623 | Command and Scripting Interpreter | This object subtechnique of Command and Scripting Interpreter. |
| Mobile | T1605 | Command-Line Interface | Command-Line Interface revoked by this object. |
Groups, software, and campaigns
S1061: AbstractEmu
AbstractEmu is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. AbstractEmu was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.[1]
S1082: Sunbird
S0544: HenBox
S0550: DoubleAgent
DoubleAgent is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.[1]
S0555: CHEMISTGAMES
CHEMISTGAMES is a modular backdoor that has been deployed by Sandworm Team.[1]
S0655: BusyGasper
BusyGasper is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.[1]
S0558: Tiktok Pro
Tiktok Pro is spyware that has been masquerading as the TikTok application.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 936e2af1472c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Samsung Knox Mobile Threat Defense
Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.
Open source URL -
[2]
mitre-attack T1623.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.