|T1059.003||Windows Command Shell|
|T1059.008||Network Device CLI|
Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.
Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel.
|C0025||2016 Ukraine Electric Power Attack||
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the
ABK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.
Action RAT can use
Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.
ADVSTORESHELL can create a remote shell and run a given command.
Anchor has used cmd.exe to run its self deletion routine.
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.
APT18 uses cmd.exe to execute commands on the victim’s machine.
An APT28 loader Trojan uses a cmd.exe and batch script to run its payload. The group has also used macros to execute payloads.
An APT3 downloader uses the Windows command
APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.
Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to
AuditCred can open a reverse shell on the system to execute commands.
AuTo Stealer can use
Babuk has the ability to use the command line to control execution on compromised hosts.
BackConfig can download and run batch files to execute commands on a compromised host.
Adversaries can direct BACKSPACE to execute from the command line on infected hosts, or have BACKSPACE create a reverse shell.
BADNEWS is capable of executing commands via cmd.exe.
Bandook is capable of spawning a Windows command shell.
Bankshot uses the command-line interface to execute arbitrary commands.
Bazar can launch cmd.exe to perform reconnaissance commands.
BBK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.
BISCUIT has a command to launch a command shell on the system.
Bisonal has launched cmd.exe and used the ShellExecuteW() API function to execute commands on the system.
Black Basta can use
BlackCat can execute commands on a compromised network with the use of
BLACKCOFFEE has the capability to create a reverse shell.
BlackMould can run cmd.exe with parameters.
BLINDINGCAN has executed commands via cmd.exe.
Blue Mockingbird has used batch script files to automate execution and deployment of payloads.
BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.
BoxCaon can execute arbitrary commands and utilize the "ComSpec" environment variable.
BRONZE BUTLER has used batch scripts and the command-line interface for execution.
|S1063||Brute Ratel C4||
Brute Ratel C4 can use cmd.exe for execution.
During C0015, the threat actors used
During C0017, APT41 used
CALENDAR has a command to run cmd.exe to execute commands.
Cardinal RAT can execute commands.
CARROTBAT has the ability to execute command line arguments on a compromised host.
Caterpillar WebShell can run commands on the compromised asset with CMD functions.
ccf32 has used
The C# implementation of the CharmPower command execution module can use
Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.
China Chopper's server component is capable of opening a command terminal.
Clop can use cmd.exe to help execute commands on the system.
cmd is used to execute programs and other actions at the command-line interface.
Cobalt Strike uses a command-line interface to interact with systems.
Cobian RAT can launch a remote command shell interface for executing commands.
CoinTicker executes a bash script to establish a reverse shell.
Conti can utilize command line options to allow an attacker control over how it scans and encrypts files.
A module in CozyCar allows arbitrary commands to be executed by invoking
Crimson has the ability to execute commands with the COMSPEC environment variable.
DanBot has the ability to execute arbitrary commands via
Dark Caracal has used macros in Word documents that would download a second stage if executed.
DarkComet can launch a remote shell to execute commands on the victim’s machine.
Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.
DarkTortilla can use
DarkWatchman can use
DEADEYE can run
DealersChoice makes modifications to open-source scripts from GitHub and executes them on the victim’s machine.
Denis can launch a remote shell to execute arbitrary commands on the victim’s machine.
Dragonfly has used various types of scripting to perform operations, including batch scripts.
DropBook can execute arbitrary shell commands on the victims' machines.
ECCENTRICBANDWAGON can use cmd to execute commands on a victim’s machine.
Egregor has used batch files for execution and can launch Internet Explorer from cmd.exe.
Ember Bear had used
Emissary has the capability to create a remote shell and execute specified commands.
EnvyScout can use cmd.exe to execute malicious files on compromised hosts.
EvilBunny has an integrated scripting engine to download and execute Lua scripts.
|S0343||Exaramel for Windows||
Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine.
FELIXROOT executes batch scripts on the victim’s machine, and can launch a reverse shell for command execution.
FIN10 has executed malicious .bat files containing PowerShell commands.
FIN6 has used
FIN7 used the command prompt to launch commands on the victim’s machine.
FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities. FIN8 has also executed commands remotely via cmd.
Flagpro can use
FlawedAmmyy has used
Fox Kitten has used cmd.exe likely as a password changing mechanism.
During Frankenstein, the threat actors ran a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line 
FunnyDream can use
During FunnyDream, the threat actors used
GALLIUM used the Windows command shell to execute commands.
Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group's backdoor malware has also been written to a batch file.
Gold Dragon uses cmd.exe to execute commands for discovery.
GoldenSpy can execute remote commands via the command-line interface.
GoldMax can spawn a command shell, and execute native commands.
Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.
Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.
GravityRAT executes commands remotely on the infected host.
GreyEnergy uses cmd.exe to execute itself in-memory.
GrimAgent can use the Windows Command Shell to execute commands, including its own removal.
HAFNIUM has used
HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.
hcdLoader provides command-line access to the compromised system.
Helminth can provide a remote shell. One version of Helminth uses batch scripting.
HermeticWiper can use
HermeticWizard can use
HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution.
Hikit has the ability to create a remote shell and run given commands.
HOPLIGHT can launch cmd.exe to execute commands on the system.
HotCroissant can remotely open applications on the infected host with the
HTTPBrowser is capable of spawning a reverse shell on a victim.
httpclient opens cmd.exe on the victim.
Indrik Spider has used batch scripts on victim's machines.
InnaputRAT launches a shell to execute commands on the victim’s machine.
InvisiMole can launch a remote shell to execute commands.
JPIN can use the command-line utility cacls.exe to change file permissions.
Kazuar uses cmd.exe to execute commands on the victim’s machine.
Ke3chang has used batch scripts in its malware to install persistence mechanisms.
Kevin can use a renamed image of
KeyBoy can launch interactive shells for communicating with the victim machine.
KGH_SPY has the ability to set a Registry key to run a cmd.exe command.
Kimsuky has executed Windows commands by using
Koadic can open an interactive command-shell to perform command line functions on victim machines. Koadic performs most of its operations using Windows Script Host (Jscript) and to run arbitrary shellcode.
KOCTOPUS has used
KONNI has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection chain.
Lazarus Group malware uses cmd.exe to execute commands on a compromised host. A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.
LazyScripter has used batch files to deploy open-source and multi-stage RATs.
LightNeuron is capable of executing commands via cmd.exe.
Linfo creates a backdoor through which remote attackers can start a remote shell.
Lizar has a command to open the command-line on the infected system.
Lokibot has used
LoudMiner used a batch script to run the Linux virtual machine as a service.
Lucifer can issue shell commands to download and execute additional payloads.
Machete has used batch files to initiate additional downloads of malicious files.
Magic Hound has used the command-line interface for code execution.
MarkiRAT can utilize cmd.exe to execute commands in a victim's environment.
The Maze encryption process has used batch scripts with various commands.
MCMD can launch a console process (cmd.exe) with redirected standard input and output.
MechaFlounder has the ability to run commands on a compromised host.
MegaCortex has used
menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands. menuPass has used malicious macros embedded inside Office documents to execute files.
Metador has used the Windows command line to execute commands.
Meteor can run
Milan can use
MirageFox has the capability to execute commands using cmd.exe.
Mis-Type has used
Misdat is capable of providing shell functionality to the attacker to execute commands.
Mivast has the capability to open a remote shell and run basic commands.
MoleNet can execute commands via the command line utility.
MoonWind can execute commands via an interactive command shell. MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.
Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.
MuddyWater has used a custom tool for creating reverse shells.
Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.
NavRAT leverages cmd.exe to perform discovery techniques. NavRAT loads malicious shellcode and executes it in memory.
NETEAGLE allows adversaries to execute shell commands on the infected host.
Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload.
During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and run command-line shells.
njRAT can launch a command shell interface for executing commands.
Nomadic Octopus used
OceanSalt can create a reverse shell on the infected endpoint using cmd.exe. OceanSalt has been executed via malicious macros.
OilRig has used macros to deliver malware such as QUADAGENT and OopsIE. OilRig has used batch scripts.
Okrum's backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.
OopsIE uses the command prompt to execute commands on the victim's machine.
During Operation CuckooBees, the threat actors used batch scripts to perform reconnaissance.
|C0022||Operation Dream Job||
During Operation Dream Job, Lazarus Group launched malicious DLL files, created new folders, and renamed folders with the use of the Windows command shell.
During Operation Honeybee, various implants used batch scripting and
During Operation Wocao, threat actors spawned a new
OutSteel has used
PingPull can use
Pisloader uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.
PLAINTEE uses cmd.exe to execute commands on the victim’s machine.
PLEAD has the ability to execute shell commands on the compromised host.
PlugX allows actors to spawn a reverse shell on a victim.
PoisonIvy creates a backdoor through which remote attackers can open a command-line interface.
Pony has used batch scripts to delete itself after execution.
Proxysvc executes a binary on the system and logs the results into a temp file by using:
Pteranodon can use
QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.
QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine.
QuasarRAT can launch a remote shell to execute commands on the victim’s machine.
Ragnar Locker has used cmd.exe and batch scripts to execute commands.
RainyDay can use the Windows Command Shell for execution.
RCSession can use
RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.
Remcos can launch a remote command line to execute commands on the victim’s machine.
Remexi silently executes received commands with cmd.exe.
Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine.
REvil can use the Windows command line to delete volume shadow copies and disable recovery.
RGDoor uses cmd.exe to execute commands on the victim’s machine.
Rising Sun has executed commands using
RobbinHood uses cmd.exe on the victim's computer.
RogueRobin uses Windows Script Components.
RunningRAT uses a batch file to kill a security program task and then attempts to remove itself.
Ryuk has used
S-Type has provided the ability to execute shell commands on a compromised host.
Saint Bot has used
Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.
SamSam uses custom batch scripts to execute some of its components.
SDBbot has the ability to use the command shell to execute commands on a compromised host.
Seasalt uses cmd.exe to create a reverse shell on the infected endpoint.
SEASHARPEE can execute commands on victims.
ServHelper can execute shell commands against cmd.
Seth-Locker can execute commands via the command line shell.
Shark has the ability to use
SharpStage can execute arbitrary commands with the command line.
ShimRat can be issued a command shell function from the C2.
SideTwist can execute shell commands on a compromised host.
Silence has used Windows command-line to run commands.
SILENTTRINITY can use
SLOTHFULMEDIA can open a command line to execute commands.
Small Sieve can use
SNUGRIDE is capable of executing commands and spawning a reverse shell.
During the SolarWinds Compromise, APT29 used
Squirrelwaffle has used
STARWHALE has the ability to execute commands via
StrifeWater can execute shell commands using
Several tools used by Suckfly have been command-line driven.
SUGARUSH has used
SYSCON has the ability to execute commands through cmd on a compromised host.
TAINTEDSCRIBE can enable Windows CLI access and execute files.
Tarrask may abuse the Windows schtasks command-line tool to create "hidden" scheduled tasks.
TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.
TEXTMATE executes cmd.exe to provide a reverse shell to adversaries.
Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.
Threat Group-3390 has used command-line interfaces for execution.
TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.
Trojan.Karagany can perform reconnaissance commands on a victim machine via a cmd.exe process.
Tropic Trooper has used Windows command scripts.
TSCookie has the ability to execute shell commands on the infected host.
Turian can create a remote shell and execute commands using cmd.
Turla RPC backdoors have used cmd.exe to execute commands.
TYPEFRAME can uninstall malware components using a batch script. TYPEFRAME can execute commands using a shell.
Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet
UPPERCUT uses cmd.exe to execute commands on the victim’s machine.
Volgmer can execute commands on the victim's machine.
WarzoneRAT can use
WastedLocker has used cmd to execute commands on the system.
WellMess can execute command line scripts received from C2.
WhisperGate can use
Wiarp creates a backdoor through which remote attackers can open a command line interface.
Wizard Spider has used cmd.exe to execute commands on a victim's machine.
Zebrocy uses cmd.exe to execute commands on the system.
Zeus Panda can launch an interface where it can execute several commands on the victim’s PC.
ZIRCONIUM has used a tool to open a Windows Command Shell on a remote host.
Use application control where appropriate.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that may abuse the Windows command shell for execution. Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
Monitor for newly executed processes that may abuse the Windows command shell for execution.