|Platform||Linux, macOS, Windows|
|Permissions Required||User, Administrator, SYSTEM|
|Data Sources||Process command-line parameters, Process monitoring|
Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.1 One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).
Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.
- APT1 has used the Windows command shell to execute commands.2
- An APT3 downloader uses the Windows command
"cmd.exe" /C whoami.3 The group also uses a tool to execute commands on remote computers.4
- APT34 has used the command-line interface for execution.56
- BRONZE BUTLER uses the command-line interface.7
- Malware used by Ke3chang can run commands on the command-line interface.8
- Lazarus Group malware uses cmd.exe to execute commands on victims.9
- Magic Hound has used the command-line interface.10
- OilRig has used a command-line interface for execution.11
- Patchwork ran a reverse shell with Meterpreter.12
- Sowbug has used command line during its intrusions.13
- Several tools used by Suckfly have been command-line driven.14
- Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.15
- Threat Group-3390 has used command-line interfaces for execution.16
- Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.17
- menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.181920
- 4H RAT has the capability to create a remote shell.21
- ADVSTORESHELL can create a remote shell and run a given command.2223
- Adversaries can direct BACKSPACE to execute from the command-line on infected hosts, or have BACKSPACE create a reverse shell.24
- BADNEWS is capable of executing commands via cmd.exe.25
- BLACKCOFFEE has the capability to create a reverse shell.26
- CHOPSTICK is capable of performing remote command execution.2722
- CallMe has the capability to create a reverse shell on victims.28
- China Chopper is capable of opening a command terminal.16
- Cobalt Strike uses a command-line interface to interact with systems.29
- A module in CozyCar allows arbitrary commands to be executed by invoking
- Daserf can execute shell commands.317
- Derusbi is capable of creating a remote Bash shell and executing commands.32
- DownPaper uses the command line.33
- Emissary has the capability to create a remote shell and execute specified commands.34
- Felismus uses command line for execution.35
- H1N1 kills and disables services by using cmd.exe.36
- HTTPBrowser is capable of spawning a reverse shell on a victim.37
- Helminth can provide a remote shell.38
- Hi-Zor has the ability to create a reverse shell.39
- KOMPROGO is capable of creating a reverse shell.40
- Kasidet can execute commands using cmd.exe.41
- Matroyshka is capable of providing Meterpreter shell access.42
- Mis-Type uses cmd.exe to run commands for enumerating the host.43
- Misdat is capable of providing shell functionality to the attacker to execute commands.43
- Mivast has the capability to open a remote shell and run basic commands.44
- MoonWind can execute commands via an interactive command shell.45
- NETEAGLE allows adversaries to execute shell commands on the infected host.24
- PHOREAL is capable of creating reverse shell.40
- POWRUNER can execute commands from its C2 server.5
- Pisloader uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.46
- PlugX allows actors to spawn a reverse shell on a victim.37
- PowerDuke runs
cmd.exe /cand sends the output to its C2.47
- Pteranodon can execute commands on the victim.48
- RTM uses the command line and rundll32.exe to execute.49
- RedLeaves can receive and execute commands with cmd.exe.19 It can also provide a reverse shell.50
- ... further results
Command-line interface activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.
- Wikipedia. (2016, June 26). Command-line interface. Retrieved June 27, 2016.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer - Oil Rig. Retrieved December 20, 2017.
- Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
- Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
- DiMaggio, J.. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
- Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.
- Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
- FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
- Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
- F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
- Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
- Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
- ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
- Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
- Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
- Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
- ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
- Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
- Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.