# Command-Line Interface

Command-Line Interface
Technique
ID T1059
Tactic Execution
Platform Linux, macOS, Windows
Data Sources Process command-line parameters, Process monitoring
Supports Remote No

Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.1 One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).

Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.

## Examples

• APT1 has used the Windows command shell to execute commands.2
• An APT3 downloader uses the Windows command "cmd.exe" /C whoami.3 The group also uses a tool to execute commands on remote computers.4
• APT34 has used the command-line interface for execution.56
• BRONZE BUTLER uses the command-line interface.7
• Malware used by Ke3chang can run commands on the command-line interface.8
• Lazarus Group malware uses cmd.exe to execute commands on victims.9
• Magic Hound has used the command-line interface.10
• OilRig has used a command-line interface for execution.11
• Patchwork ran a reverse shell with Meterpreter.12
• Sowbug has used command line during its intrusions.13
• Several tools used by Suckfly have been command-line driven.14
• Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.15
• Threat Group-3390 has used command-line interfaces for execution.16
• Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.17
• menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.181920
• 4H RAT has the capability to create a remote shell.21
• ADVSTORESHELL can create a remote shell and run a given command.2223
• Adversaries can direct BACKSPACE to execute from the command-line on infected hosts, or have BACKSPACE create a reverse shell.24
• BADNEWS is capable of executing commands via cmd.exe.25
• BLACKCOFFEE has the capability to create a reverse shell.26
• CHOPSTICK is capable of performing remote command execution.2722
• CallMe has the capability to create a reverse shell on victims.28
• China Chopper is capable of opening a command terminal.16
• Cobalt Strike uses a command-line interface to interact with systems.29
• A module in CozyCar allows arbitrary commands to be executed by invoking C:\Windows\System32\cmd.exe.30
• Daserf can execute shell commands.317
• Derusbi is capable of creating a remote Bash shell and executing commands.32
• DownPaper uses the command line.33
• Emissary has the capability to create a remote shell and execute specified commands.34
• Felismus uses command line for execution.35
• H1N1 kills and disables services by using cmd.exe.36
• HTTPBrowser is capable of spawning a reverse shell on a victim.37
• Helminth can provide a remote shell.38
• Hi-Zor has the ability to create a reverse shell.39
• KOMPROGO is capable of creating a reverse shell.40
• Kasidet can execute commands using cmd.exe.41
• Matroyshka is capable of providing Meterpreter shell access.42
• Mis-Type uses cmd.exe to run commands for enumerating the host.43
• Misdat is capable of providing shell functionality to the attacker to execute commands.43
• Mivast has the capability to open a remote shell and run basic commands.44
• MoonWind can execute commands via an interactive command shell.45
• NETEAGLE allows adversaries to execute shell commands on the infected host.24
• PHOREAL is capable of creating reverse shell.40
• POWRUNER can execute commands from its C2 server.5
• Pisloader uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.46
• PlugX allows actors to spawn a reverse shell on a victim.37
• PowerDuke runs cmd.exe /c and sends the output to its C2.47
• Pteranodon can execute commands on the victim.48
• RTM uses the command line and rundll32.exe to execute.49
• RedLeaves can receive and execute commands with cmd.exe.19 It can also provide a reverse shell.50
• ... further results

## Mitigation

Audit and/or block command-line interpreters by using whitelisting51 tools, like AppLocker,5253 or Software Restriction Policies54 where appropriate.55

## Detection

Command-line interface activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.