ID | Name |
---|---|
T1059.001 | PowerShell |
T1059.002 | AppleScript |
T1059.003 | Windows Command Shell |
T1059.004 | Unix Shell |
T1059.005 | Visual Basic |
T1059.006 | Python |
T1059.007 | JavaScript |
T1059.008 | Network Device CLI |
T1059.009 | Cloud API |
T1059.010 | AutoHotKey & AutoIT |
Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.[1]
Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel.
ID | Name | Description |
---|---|---|
C0025 | 2016 Ukraine Electric Power Attack |
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the |
S0065 | 4H RAT | |
S0469 | ABK |
ABK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.[4] |
S1028 | Action RAT |
Action RAT can use |
S0202 | adbupd | |
G0018 | admin@338 |
Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.[7] |
S0045 | ADVSTORESHELL |
ADVSTORESHELL can create a remote shell and run a given command.[8][9] |
S1129 | Akira |
Akira executes from the Windows command line and can take various arguments for execution.[10] |
S0504 | Anchor |
Anchor has used cmd.exe to run its self deletion routine.[11] |
G0006 | APT1 |
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.[12] |
G0026 | APT18 |
APT18 uses cmd.exe to execute commands on the victim’s machine.[13][14] |
G0007 | APT28 |
An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.[15] The group has also used macros to execute payloads.[16][17][18][19] |
G0022 | APT3 |
An APT3 downloader uses the Windows command |
G0050 | APT32 | |
G0067 | APT37 | |
G0082 | APT38 |
APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.[25] |
G0096 | APT41 |
APT41 used |
G1023 | APT5 |
APT5 has used cmd.exe for execution on compromised systems.[28] |
G0143 | Aquatic Panda |
Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to |
S0373 | Astaroth | |
S0347 | AuditCred |
AuditCred can open a reverse shell on the system to execute commands.[31] |
S1029 | AuTo Stealer |
AuTo Stealer can use |
S0638 | Babuk |
Babuk has the ability to use the command line to control execution on compromised hosts.[32][33] |
S0414 | BabyShark | |
S0475 | BackConfig |
BackConfig can download and run batch files to execute commands on a compromised host.[35] |
S0031 | BACKSPACE |
Adversaries can direct BACKSPACE to execute from the command line on infected hosts, or have BACKSPACE create a reverse shell.[36] |
S1081 | BADHATCH |
BADHATCH can use |
S0128 | BADNEWS |
BADNEWS is capable of executing commands via cmd.exe.[39][40] |
S0234 | Bandook |
Bandook is capable of spawning a Windows command shell.[41][42] |
S0239 | Bankshot |
Bankshot uses the command-line interface to execute arbitrary commands.[43][44] |
S0534 | Bazar |
Bazar can launch cmd.exe to perform reconnaissance commands.[45][46] |
S0470 | BBK |
BBK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.[4] |
S0017 | BISCUIT |
BISCUIT has a command to launch a command shell on the system.[47] |
S0268 | Bisonal |
Bisonal has launched cmd.exe and used the ShellExecuteW() API function to execute commands on the system.[48][49][50] |
S1070 | Black Basta |
Black Basta can use |
S1068 | BlackCat |
BlackCat can execute commands on a compromised network with the use of |
S0069 | BLACKCOFFEE |
BLACKCOFFEE has the capability to create a reverse shell.[53] |
S0564 | BlackMould |
BlackMould can run cmd.exe with parameters.[54] |
S0520 | BLINDINGCAN |
BLINDINGCAN has executed commands via cmd.exe.[55] |
G0108 | Blue Mockingbird |
Blue Mockingbird has used batch script files to automate execution and deployment of payloads.[56] |
S0360 | BONDUPDATER |
BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.[57] |
S0651 | BoxCaon |
BoxCaon can execute arbitrary commands and utilize the "ComSpec" environment variable.[58] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has used batch scripts and the command-line interface for execution.[59] |
S1063 | Brute Ratel C4 |
Brute Ratel C4 can use cmd.exe for execution.[60] |
S1039 | Bumblebee | |
C0015 | C0015 |
During C0015, the threat actors used |
C0017 | C0017 |
During C0017, APT41 used |
S0025 | CALENDAR |
CALENDAR has a command to run cmd.exe to execute commands.[47] |
S0030 | Carbanak | |
S0348 | Cardinal RAT |
Cardinal RAT can execute commands.[66] |
S0462 | CARROTBAT |
CARROTBAT has the ability to execute command line arguments on a compromised host.[67] |
S0572 | Caterpillar WebShell |
Caterpillar WebShell can run commands on the compromised asset with CMD functions.[68] |
S1043 | ccf32 |
ccf32 has used |
S0631 | Chaes | |
S0674 | CharmPower |
The C# implementation of the CharmPower command execution module can use |
G0114 | Chimera |
Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.[72] |
S0020 | China Chopper |
China Chopper's server component is capable of opening a command terminal.[73][74][75] |
G1021 | Cinnamon Tempest |
Cinnamon Tempest has executed ransomware using batch scripts deployed via GPO.[76] |
S0660 | Clambling | |
S0611 | Clop |
Clop can use cmd.exe to help execute commands on the system.[78] |
S0106 | cmd |
cmd is used to execute programs and other actions at the command-line interface.[79] |
G0080 | Cobalt Group |
Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.[80] The group has used an exploit toolkit known as Threadkit that launches .bat files.[81][82][83][80][84][85] |
S0154 | Cobalt Strike |
Cobalt Strike uses a command-line interface to interact with systems.[86][87][88][89] |
S0338 | Cobian RAT |
Cobian RAT can launch a remote command shell interface for executing commands.[90] |
S0369 | CoinTicker |
CoinTicker executes a bash script to establish a reverse shell.[91] |
S0244 | Comnie | |
S0126 | ComRAT | |
S0575 | Conti |
Conti can utilize command line options to allow an attacker control over how it scans and encrypts files.[94][63] |
S0046 | CozyCar |
A module in CozyCar allows arbitrary commands to be executed by invoking |
S0115 | Crimson |
Crimson has the ability to execute commands with the COMSPEC environment variable.[96] |
S0625 | Cuba | |
S1014 | DanBot |
DanBot has the ability to execute arbitrary commands via |
G0070 | Dark Caracal |
Dark Caracal has used macros in Word documents that would download a second stage if executed.[100] |
S0334 | DarkComet |
DarkComet can launch a remote shell to execute commands on the victim’s machine.[101] |
S1111 | DarkGate |
DarkGate uses a malicious Windows Batch script to run the Windows |
G0012 | Darkhotel |
Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.[103] |
S1066 | DarkTortilla |
DarkTortilla can use |
S0673 | DarkWatchman |
DarkWatchman can use |
S0187 | Daserf | |
S1052 | DEADEYE |
DEADEYE can run |
S0243 | DealersChoice |
DealersChoice makes modifications to open-source scripts from GitHub and executes them on the victim’s machine.[107] |
S0354 | Denis |
Denis can launch a remote shell to execute arbitrary commands on the victim’s machine.[108][22] |
S0200 | Dipsind | |
S1021 | DnsSystem | |
S0186 | DownPaper | |
G0035 | Dragonfly |
Dragonfly has used various types of scripting to perform operations, including batch scripts.[111] |
S0547 | DropBook |
DropBook can execute arbitrary shell commands on the victims' machines.[112][113] |
S0567 | Dtrack | |
S0593 | ECCENTRICBANDWAGON |
ECCENTRICBANDWAGON can use cmd to execute commands on a victim’s machine.[115] |
S0554 | Egregor |
Egregor has used batch files for execution and can launch Internet Explorer from cmd.exe.[116][117] |
G1003 | Ember Bear |
Ember Bear had used |
S0082 | Emissary |
Emissary has the capability to create a remote shell and execute specified commands.[119] |
S0367 | Emotet | |
S0363 | Empire | |
S0634 | EnvyScout |
EnvyScout can use cmd.exe to execute malicious files on compromised hosts.[122] |
S0396 | EvilBunny |
EvilBunny has an integrated scripting engine to download and execute Lua scripts.[123] |
S0343 | Exaramel for Windows |
Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine.[124] |
S0171 | Felismus | |
S0267 | FELIXROOT |
FELIXROOT executes batch scripts on the victim’s machine, and can launch a reverse shell for command execution.[126][127] |
G0051 | FIN10 |
FIN10 has executed malicious .bat files containing PowerShell commands.[128] |
G1016 | FIN13 |
FIN13 has leveraged |
G0037 | FIN6 |
FIN6 has used |
G0046 | FIN7 |
FIN7 used the command prompt to launch commands on the victim’s machine.[132][133][134] |
G0061 | FIN8 |
FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.[135] FIN8 has also executed commands remotely via |
S0696 | Flagpro |
Flagpro can use |
S0381 | FlawedAmmyy |
FlawedAmmyy has used |
G0117 | Fox Kitten |
Fox Kitten has used cmd.exe likely as a password changing mechanism.[141] |
C0001 | Frankenstein |
During Frankenstein, the threat actors ran a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line [142] |
S1044 | FunnyDream |
FunnyDream can use |
C0007 | FunnyDream |
During FunnyDream, the threat actors used |
G0093 | GALLIUM |
GALLIUM used the Windows command shell to execute commands.[143] |
G0047 | Gamaredon Group |
Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group's backdoor malware has also been written to a batch file.[144][145][146][147] |
S0666 | Gelsemium | |
S0249 | Gold Dragon |
Gold Dragon uses cmd.exe to execute commands for discovery.[149] |
S0493 | GoldenSpy |
GoldenSpy can execute remote commands via the command-line interface.[150] |
S0588 | GoldMax |
GoldMax can spawn a command shell, and execute native commands.[151][152] |
S0477 | Goopy |
Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.[22] |
G0078 | Gorgon Group |
Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.[153] |
S0237 | GravityRAT |
GravityRAT executes commands remotely on the infected host.[154] |
S0342 | GreyEnergy |
GreyEnergy uses cmd.exe to execute itself in-memory.[127] |
S0632 | GrimAgent |
GrimAgent can use the Windows Command Shell to execute commands, including its own removal.[155] |
S0132 | H1N1 | |
G0125 | HAFNIUM |
HAFNIUM has used |
S0246 | HARDRAIN | |
S0391 | HAWKBALL |
HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.[159] |
S0071 | hcdLoader |
hcdLoader provides command-line access to the compromised system.[160] |
S0170 | Helminth |
Helminth can provide a remote shell. One version of Helminth uses batch scripting.[161] |
S0697 | HermeticWiper |
HermeticWiper can use |
S0698 | HermeticWizard |
HermeticWizard can use |
S0087 | Hi-Zor | |
S0394 | HiddenWasp |
HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution.[164] |
G0126 | Higaisa | |
S0009 | Hikit |
Hikit has the ability to create a remote shell and run given commands.[168] |
S0232 | HOMEFRY | |
S0376 | HOPLIGHT |
HOPLIGHT can launch cmd.exe to execute commands on the system.[170] |
S0431 | HotCroissant |
HotCroissant can remotely open applications on the infected host with the |
S0070 | HTTPBrowser |
HTTPBrowser is capable of spawning a reverse shell on a victim.[172] |
S0068 | httpclient |
httpclient opens cmd.exe on the victim.[3] |
G0119 | Indrik Spider |
Indrik Spider has used batch scripts on victim's machines.[173] |
S0259 | InnaputRAT |
InnaputRAT launches a shell to execute commands on the victim’s machine.[174] |
S0260 | InvisiMole |
InvisiMole can launch a remote shell to execute commands.[175][176] |
S0015 | Ixeshe | |
S0389 | JCry | |
S0044 | JHUHUGIT | |
S0201 | JPIN |
JPIN can use the command-line utility cacls.exe to change file permissions.[6] |
S0283 | jRAT | |
S0088 | Kasidet | |
S0265 | Kazuar |
Kazuar uses cmd.exe to execute commands on the victim’s machine.[181] |
G0004 | Ke3chang |
Ke3chang has used batch scripts in its malware to install persistence mechanisms.[182] |
S1020 | Kevin |
Kevin can use a renamed image of |
S0387 | KeyBoy |
KeyBoy can launch interactive shells for communicating with the victim machine.[184][185] |
S0271 | KEYMARBLE | |
S0526 | KGH_SPY |
KGH_SPY has the ability to set a Registry key to run a cmd.exe command.[187] |
G0094 | Kimsuky |
Kimsuky has executed Windows commands by using |
S0250 | Koadic |
Koadic can open an interactive command-shell to perform command line functions on victim machines. Koadic performs most of its operations using Windows Script Host (Jscript) and to run arbitrary shellcode.[190][191] |
S0669 | KOCTOPUS |
KOCTOPUS has used |
S0156 | KOMPROGO | |
S0356 | KONNI |
KONNI has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection chain.[193][194][195] |
G0032 | Lazarus Group |
Lazarus Group malware uses cmd.exe to execute commands on a compromised host.[196][197][198][199][200] A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.[201] |
G0140 | LazyScripter |
LazyScripter has used batch files to deploy open-source and multi-stage RATs.[191] |
S0395 | LightNeuron |
LightNeuron is capable of executing commands via cmd.exe.[202] |
S0211 | Linfo |
Linfo creates a backdoor through which remote attackers can start a remote shell.[203] |
S0681 | Lizar |
Lizar has a command to open the command-line on the infected system.[204][205] |
S0447 | Lokibot |
Lokibot has used |
S0582 | LookBack | |
S0451 | LoudMiner |
LoudMiner used a batch script to run the Linux virtual machine as a service.[208] |
S0532 | Lucifer |
Lucifer can issue shell commands to download and execute additional payloads.[209] |
G0095 | Machete |
Machete has used batch files to initiate additional downloads of malicious files.[210] |
S1060 | Mafalda | |
G0059 | Magic Hound |
Magic Hound has used the command-line interface for code execution.[212][213][214] |
S0652 | MarkiRAT |
MarkiRAT can utilize cmd.exe to execute commands in a victim's environment.[215] |
S0449 | Maze |
The Maze encryption process has used batch scripts with various commands.[216][217] |
S0500 | MCMD |
MCMD can launch a console process (cmd.exe) with redirected standard input and output.[218] |
S0459 | MechaFlounder |
MechaFlounder has the ability to run commands on a compromised host.[219] |
S0576 | MegaCortex |
MegaCortex has used |
G0045 | menuPass |
menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.[221][222][223][224] menuPass has used malicious macros embedded inside Office documents to execute files.[225][224] |
G1013 | Metador |
Metador has used the Windows command line to execute commands.[226] |
S0455 | Metamorfo | |
S0688 | Meteor |
Meteor can run |
S0339 | Micropsia | |
S1015 | Milan |
Milan can use |
S0280 | MirageFox |
MirageFox has the capability to execute commands using cmd.exe.[230] |
S0084 | Mis-Type |
Mis-Type has used |
S0083 | Misdat |
Misdat is capable of providing shell functionality to the attacker to execute commands.[231] |
S0080 | Mivast |
Mivast has the capability to open a remote shell and run basic commands.[232] |
S0553 | MoleNet |
MoleNet can execute commands via the command line utility.[112] |
S0149 | MoonWind |
MoonWind can execute commands via an interactive command shell.[233] MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.[233] |
S0284 | More_eggs | |
S0256 | Mosquito |
Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.[236] |
G0069 | MuddyWater |
MuddyWater has used a custom tool for creating reverse shells.[237] |
S0233 | MURKYTOP | |
G0129 | Mustang Panda |
Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.[238][239] |
S0336 | NanoCore |
NanoCore can open a remote command-line interface and execute commands.[240] NanoCore uses JavaScript files.[241] |
S0247 | NavRAT |
NavRAT leverages cmd.exe to perform discovery techniques.[242] NavRAT loads malicious shellcode and executes it in memory.[242] |
S0630 | Nebulae | |
S0034 | NETEAGLE |
NETEAGLE allows adversaries to execute shell commands on the infected host.[36] |
S0457 | Netwalker |
Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload.[244] |
S0198 | NETWIRE | |
C0002 | Night Dragon |
During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and run command-line shells.[247] |
S0385 | njRAT |
njRAT can launch a command shell interface for executing commands.[248] |
G0133 | Nomadic Octopus |
Nomadic Octopus used |
S0346 | OceanSalt |
OceanSalt can create a reverse shell on the infected endpoint using cmd.exe.[250] OceanSalt has been executed via malicious macros.[250] |
G0049 | OilRig |
OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.[251][252][253][254][255] OilRig has used batch scripts.[251][252][253][254][255] |
S0439 | Okrum |
Okrum's backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.[256] |
S0264 | OopsIE |
OopsIE uses the command prompt to execute commands on the victim's machine.[253][257] |
C0012 | Operation CuckooBees |
During Operation CuckooBees, the threat actors used batch scripts to perform reconnaissance.[258] |
C0022 | Operation Dream Job |
During Operation Dream Job, Lazarus Group launched malicious DLL files, created new folders, and renamed folders with the use of the Windows command shell.[259][260] |
C0006 | Operation Honeybee |
During Operation Honeybee, various implants used batch scripting and |
C0014 | Operation Wocao |
During Operation Wocao, threat actors spawned a new |
S0229 | Orz |
Orz can execute shell commands.[263] Orz can execute commands with JavaScript.[263] |
S0594 | Out1 | |
S1017 | OutSteel |
OutSteel has used |
G0040 | Patchwork |
Patchwork ran a reverse shell with Meterpreter.[265] Patchwork used JavaScript code and .SCT files on victim machines.[40][266] |
S1050 | PcShare | |
S0643 | Peppy | |
S0158 | PHOREAL | |
S1031 | PingPull |
PingPull can use |
S0124 | Pisloader |
Pisloader uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.[269] |
S0254 | PLAINTEE |
PLAINTEE uses cmd.exe to execute commands on the victim’s machine.[270] |
S0435 | PLEAD |
PLEAD has the ability to execute shell commands on the compromised host.[271] |
S0013 | PlugX |
PlugX allows actors to spawn a reverse shell on a victim.[172][272] |
S0428 | PoetRAT | |
S0012 | PoisonIvy |
PoisonIvy creates a backdoor through which remote attackers can open a command-line interface.[274] |
S0453 | Pony |
Pony has used batch scripts to delete itself after execution.[275] |
S0139 | PowerDuke |
PowerDuke runs |
S0184 | POWRUNER | |
S0238 | Proxysvc |
Proxysvc executes a binary on the system and logs the results into a temp file by using: |
S0147 | Pteranodon |
Pteranodon can use |
S1032 | PyDCrypt | |
S0650 | QakBot |
QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.[279][280][281][89] |
S0269 | QUADAGENT |
QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine.[254] |
S0262 | QuasarRAT |
QuasarRAT can launch a remote shell to execute commands on the victim’s machine.[282][283] |
S0481 | Ragnar Locker |
Ragnar Locker has used cmd.exe and batch scripts to execute commands.[284] |
S0629 | RainyDay |
RainyDay can use the Windows Command Shell for execution.[243] |
G0075 | Rancor | |
S0241 | RATANKBA | |
S0662 | RCSession |
RCSession can use |
S0495 | RDAT | |
S0153 | RedLeaves |
RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.[222][288] |
S0332 | Remcos |
Remcos can launch a remote command line to execute commands on the victim’s machine.[289] |
S0375 | Remexi |
Remexi silently executes received commands with cmd.exe.[290] |
S0379 | Revenge RAT |
Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine.[291] |
S0496 | REvil |
REvil can use the Windows command line to delete volume shadow copies and disable recovery.[292][293][294][295] |
S0258 | RGDoor |
RGDoor uses cmd.exe to execute commands on the victim’s machine.[296] |
S0448 | Rising Sun |
Rising Sun has executed commands using |
S0400 | RobbinHood |
RobbinHood uses cmd.exe on the victim's computer.[298] |
S0270 | RogueRobin |
RogueRobin uses Windows Script Components.[299][300] |
S0148 | RTM | |
S0253 | RunningRAT |
RunningRAT uses a batch file to kill a security program task and then attempts to remove itself.[149] |
S0446 | Ryuk |
Ryuk has used |
S0085 | S-Type |
S-Type has provided the ability to execute shell commands on a compromised host.[231] |
S1018 | Saint Bot |
Saint Bot has used |
S0074 | Sakula |
Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.[303] |
S0370 | SamSam |
SamSam uses custom batch scripts to execute some of its components.[304] |
S1099 | Samurai |
Samurai can use a remote command module for execution via the Windows command line.[305] |
S1085 | Sardonic |
Sardonic has the ability to run |
S0461 | SDBbot |
SDBbot has the ability to use the command shell to execute commands on a compromised host.[306] |
S0053 | SeaDuke | |
S0345 | Seasalt |
Seasalt uses cmd.exe to create a reverse shell on the infected endpoint.[47] |
S0185 | SEASHARPEE |
SEASHARPEE can execute commands on victims.[308] |
S0382 | ServHelper |
ServHelper can execute shell commands against cmd.[309][310] |
S0639 | Seth-Locker |
Seth-Locker can execute commands via the command line shell.[311] |
S1019 | Shark |
Shark has the ability to use |
S1089 | SharpDisco |
SharpDisco can use |
S0546 | SharpStage |
SharpStage can execute arbitrary commands with the command line.[112][113] |
S0444 | ShimRat |
ShimRat can be issued a command shell function from the C2.[314] |
S0610 | SideTwist |
SideTwist can execute shell commands on a compromised host.[315] |
G0091 | Silence |
Silence has used Windows command-line to run commands.[316][317][318] |
S0692 | SILENTTRINITY |
SILENTTRINITY can use |
S0623 | Siloscape | |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA can open a command line to execute commands.[321] |
S1035 | Small Sieve |
Small Sieve can use |
S0159 | SNUGRIDE |
SNUGRIDE is capable of executing commands and spawning a reverse shell.[288] |
C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 used |
G0054 | Sowbug | |
S0543 | Spark | |
S0390 | SQLRat |
SQLRat has used SQL to execute JavaScript and VB scripts on the host system.[133] |
S1030 | Squirrelwaffle |
Squirrelwaffle has used |
S1037 | STARWHALE |
STARWHALE has the ability to execute commands via |
S0142 | StreamEx | |
S1034 | StrifeWater |
StrifeWater can execute shell commands using |
G0039 | Suckfly |
Several tools used by Suckfly have been command-line driven.[331] |
S1049 | SUGARUSH |
SUGARUSH has used |
S0464 | SYSCON |
SYSCON has the ability to execute commands through cmd on a compromised host.[67] |
G0092 | TA505 | |
G0127 | TA551 | |
S0011 | Taidoor | |
S0586 | TAINTEDSCRIBE |
TAINTEDSCRIBE can enable Windows CLI access and execute files.[336] |
S1011 | Tarrask |
Tarrask may abuse the Windows schtasks command-line tool to create "hidden" scheduled tasks.[337] |
S0164 | TDTESS | |
G0139 | TeamTNT |
TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.[339] |
S0146 | TEXTMATE |
TEXTMATE executes cmd.exe to provide a reverse shell to adversaries.[340][341] |
G0028 | Threat Group-1314 |
Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.[342] |
G0027 | Threat Group-3390 |
Threat Group-3390 has used command-line interfaces for execution.[73][343] |
S0668 | TinyTurla | |
S0004 | TinyZBot | |
G1022 | ToddyCat |
ToddyCat has used .bat scripts and |
S0266 | TrickBot |
TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.[347] |
S0094 | Trojan.Karagany |
Trojan.Karagany can perform reconnaissance commands on a victim machine via a cmd.exe process.[348] |
G0081 | Tropic Trooper |
Tropic Trooper has used Windows command scripts.[349] |
S0436 | TSCookie |
TSCookie has the ability to execute shell commands on the infected host.[350] |
S0647 | Turian |
Turian can create a remote shell and execute commands using cmd.[351] |
G0010 | Turla |
Turla RPC backdoors have used cmd.exe to execute commands.[352][353] |
S0199 | TURNEDUP | |
S0263 | TYPEFRAME |
TYPEFRAME can uninstall malware components using a batch script.[355] TYPEFRAME can execute commands using a shell.[355] |
S0333 | UBoatRAT | |
S0221 | Umbreon |
Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet[357] |
S0275 | UPPERCUT |
UPPERCUT uses cmd.exe to execute commands on the victim’s machine.[224] |
S0022 | Uroburos |
Uroburos has the ability to use the command line for execution on the targeted system.[358] |
S0452 | USBferry | |
S0180 | Volgmer |
Volgmer can execute commands on the victim's machine.[359][360] |
G1017 | Volt Typhoon |
Volt Typhoon has used the Windows command line to perform hands-on-keyboard activities in targeted environments including for discovery.[361][362][363] |
S0670 | WarzoneRAT |
WarzoneRAT can use |
S0612 | WastedLocker |
WastedLocker has used cmd to execute commands on the system.[365] |
S0109 | WEBC2 | |
S0514 | WellMess |
WellMess can execute command line scripts received from C2.[366] |
S0689 | WhisperGate |
WhisperGate can use |
S0206 | Wiarp |
Wiarp creates a backdoor through which remote attackers can open a command line interface.[368] |
G0102 | Wizard Spider |
Wizard Spider has used |
S1065 | Woody RAT | |
S0653 | xCaon | |
S0117 | XTunnel | |
S0251 | Zebrocy |
Zebrocy uses cmd.exe to execute commands on the system.[373][374] |
S0330 | Zeus Panda |
Zeus Panda can launch an interface where it can execute several commands on the victim’s PC.[375] |
G0128 | ZIRCONIUM |
ZIRCONIUM has used a tool to open a Windows Command Shell on a remote host.[376] |
S0086 | ZLib | |
S0350 | zwShell | |
S0412 | ZxShell |
ID | Mitigation | Description |
---|---|---|
M1038 | Execution Prevention |
Use application control where appropriate. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may abuse the Windows command shell for execution. Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
DS0009 | Process | Process Creation |
Monitor for newly executed processes that may abuse the Windows command shell for execution. Note: Try an Analytic by creating a baseline of parent processes of cmd seen over the last 30 days and a list of parent processes of cmd seen today. Parent processes in the baseline are removed from the set of parent processes seen today, leaving a list of new parent processes. This analytic attempts to identify suspicious programs spawning cmd by looking for programs that do not normally create cmd. It is very common for some programs to spawn cmd as a subprocess, for example to run batch files or Windows commands. However, many processes don’t routinely launch a command prompt - e.g., Microsoft Outlook. A command prompt being launched from a process that normally doesn’t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one. Analytic 1 - Unusual Command Execution
|