# Command-Line Interface

Command-Line Interface
Technique
ID T1059
Tactic Execution
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X
Data Sources Process command-line parameters, Process monitoring
Supports Remote No

Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.1 One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).

Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.

## Examples

• APT1 has used the Windows command shell to execute commands.2
• An APT3 downloader uses the Windows command "cmd.exe" /C whoami.3 The group also uses a tool to execute commands on remote computers.4
• Malware used by Ke3chang can run commands on the command-line interface.5
• Lazarus Group malware uses cmd.exe to execute commands on victims.6
• Patchwork ran a reverse shell with Meterpreter.7
• Several tools used by Suckfly have been command-line driven.8
• Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.9
• Threat Group-3390 has used command-line interfaces for execution.10
• Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.11
• menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.121314
• 4H RAT has the capability to create a remote shell.15
• ADVSTORESHELL can create a remote shell and run a given command.1617
• Adversaries can direct BACKSPACE to execute from the command-line on infected hosts, or have BACKSPACE create a reverse shell.18
• BADNEWS is capable of executing commands via cmd.exe.19
• BLACKCOFFEE has the capability to create a reverse shell.20
• CHOPSTICK is capable of performing remote command execution.2116
• CallMe has the capability to create a reverse shell on victims.22
• China Chopper is capable of opening a command terminal.10
• A module in CozyCar allows arbitrary commands to be executed by invoking C:\Windows\System32\cmd.exe.23
• Derusbi is capable of creating a remote Bash shell and executing commands.24
• Emissary has the capability to create a remote shell and execute specified commands.25
• H1N1 kills and disables services by using cmd.exe.26
• HTTPBrowser is capable of spawning a reverse shell on a victim.27
• Hi-Zor has the ability to create a reverse shell.28
• KOMPROGO is capable of creating a reverse shell.29
• Kasidet can execute commands using cmd.exe.30
• Mis-Type uses cmd.exe to run commands for enumerating the host.31
• Misdat is capable of providing shell functionality to the attacker to execute commands.31
• Mivast has the capability to open a remote shell and run basic commands.32
• MoonWind can execute commands via an interactive command shell.33
• NETEAGLE allows adversaries to execute shell commands on the infected host.18
• PHOREAL is capable of creating reverse shell.29
• Pisloader uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.34
• PlugX allows actors to spawn a reverse shell on a victim.27
• PowerDuke runs cmd.exe /c and sends the output to its C2.35
• Pteranodon can execute commands on the victim.36
• RTM uses the command line and rundll32.exe to execute.37
• RedLeaves can receive and execute commands with cmd.exe.13 It can also provide a reverse shell.38
• SNUGRIDE is capable of executing commands and spawning a reverse shell.38
• Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.39
• SeaDuke is capable of executing commands.40
• StreamEx has the ability to remotely execute commands.41
• TEXTMATE executes cmd.exe to provide a reverse shell to attackers.4243
• TinyZBot supports execution from the command-line.44
• XTunnel has been used to execute remote commands.21
• ZLib has the ability to execute shell commands.31
• cmd is used to execute programs and other actions at the command-line interface.45
• gh0st RAT is able to open a command shell.46