Command-Line Interface

From enterprise
Jump to: navigation, search
Command-Line Interface
ID T1059
Tactic Execution
Platform Linux, macOS, Windows
Permissions Required User, Administrator, SYSTEM
Data Sources Process command-line parameters, Process monitoring
Supports Remote No

Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.1 One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).

Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.


  • APT1 has used the Windows command shell to execute commands.2
  • An APT3 downloader uses the Windows command "cmd.exe" /C whoami.3 The group also uses a tool to execute commands on remote computers.4
  • APT34 has used the command-line interface for execution.56
  • BRONZE BUTLER uses the command-line interface.7
  • Malware used by Ke3chang can run commands on the command-line interface.8
  • Lazarus Group malware uses cmd.exe to execute commands on victims.9
  • Magic Hound has used the command-line interface.10
  • OilRig has used a command-line interface for execution.11
  • Patchwork ran a reverse shell with Meterpreter.12
  • Sowbug has used command line during its intrusions.13
  • Several tools used by Suckfly have been command-line driven.14
  • Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.15
  • Threat Group-3390 has used command-line interfaces for execution.16
  • Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.17
  • menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.181920
  • 4H RAT has the capability to create a remote shell.21
  • ADVSTORESHELL can create a remote shell and run a given command.2223
  • Adversaries can direct BACKSPACE to execute from the command-line on infected hosts, or have BACKSPACE create a reverse shell.24
  • BADNEWS is capable of executing commands via cmd.exe.25
  • BLACKCOFFEE has the capability to create a reverse shell.26
  • CHOPSTICK is capable of performing remote command execution.2722
  • CallMe has the capability to create a reverse shell on victims.28
  • China Chopper is capable of opening a command terminal.16
  • Cobalt Strike uses a command-line interface to interact with systems.29
  • A module in CozyCar allows arbitrary commands to be executed by invoking C:\Windows\System32\cmd.exe.30
  • Daserf can execute shell commands.317
  • Derusbi is capable of creating a remote Bash shell and executing commands.32
  • DownPaper uses the command line.33
  • Emissary has the capability to create a remote shell and execute specified commands.34
  • Felismus uses command line for execution.35
  • H1N1 kills and disables services by using cmd.exe.36
  • HTTPBrowser is capable of spawning a reverse shell on a victim.37
  • Helminth can provide a remote shell.38
  • Hi-Zor has the ability to create a reverse shell.39
  • KOMPROGO is capable of creating a reverse shell.40
  • Kasidet can execute commands using cmd.exe.41
  • Matroyshka is capable of providing Meterpreter shell access.42
  • Mis-Type uses cmd.exe to run commands for enumerating the host.43
  • Misdat is capable of providing shell functionality to the attacker to execute commands.43
  • Mivast has the capability to open a remote shell and run basic commands.44
  • MoonWind can execute commands via an interactive command shell.45
  • NETEAGLE allows adversaries to execute shell commands on the infected host.24
  • PHOREAL is capable of creating reverse shell.40
  • POWRUNER can execute commands from its C2 server.5
  • Pisloader uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.46
  • PlugX allows actors to spawn a reverse shell on a victim.37
  • PowerDuke runs cmd.exe /c and sends the output to its C2.47
  • Pteranodon can execute commands on the victim.48
  • RTM uses the command line and rundll32.exe to execute.49
  • RedLeaves can receive and execute commands with cmd.exe.19 It can also provide a reverse shell.50
  • ... further results


Audit and/or block command-line interpreters by using whitelisting51 tools, like AppLocker,5253 or Software Restriction Policies54 where appropriate.55


Command-line interface activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.


  1. ^  Wikipedia. (2016, June 26). Command-line interface. Retrieved June 27, 2016.
  2. ^  Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  3. ^  Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  4. ^  Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  5. a b  Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  6. ^  Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  7. a b  Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  8. ^  Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  9. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  10. ^  Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  11. ^  Unit 42. (2017, December 15). Unit 42 Playbook Viewer - Oil Rig. Retrieved December 20, 2017.
  12. ^  Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  13. ^  Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  14. ^  DiMaggio, J.. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
  15. ^  Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.
  16. a b  Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  17. ^  FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  18. ^  PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  19. a b  PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  20. ^  Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
  21. ^  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  22. a b  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  23. ^  Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  24. a b  FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  25. ^  Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  26. ^  FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  27. ^  Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  28. ^  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  1. ^  Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  2. ^  F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  3. ^  Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  4. ^  Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  5. ^  ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  6. ^  Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  7. ^  Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  8. ^  Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  9. a b  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
  10. ^  Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  11. ^  Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  12. a b  Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  13. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  14. ^  ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  15. a b  Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  16. ^  Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  17. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  18. ^  Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  19. ^  Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  20. ^  Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  21. ^  Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  22. ^  FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  23. ^  Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  24. ^  Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  25. ^  NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  26. ^  Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  27. ^  Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.