Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.(Citation: SSH in Windows)
Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1059.003 | Windows Command Shell |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Windows Command Shell exploits. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
Windows Command Shell exploits often involve adversaries using command-line interfaces (such as PowerShell or cmd.exe) to execute unauthorized commands, often bypassing traditional security controls. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling rapid detection of abnormal behaviors that could indicate misuse of command shell functionality for malicious purposes.
Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, allowing for faster, more efficient detection of malicious activity without degrading system performance. CAMS helps identify suspicious behaviors, such as unauthorized command execution or attempts to exploit the Windows Command Shell for executing malicious code.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2021-22899 | Ivanti Pulse Connect Secure Command Injection Vulnerability | primary_impact | T1059.003 | Windows Command Shell |
Comments
This vulnerability is exploited through a command injection weakness. Remote authenticated attackers leverage this vulnerability to perform arbitrary code execution on the target system via the Windows Resource Profiles Feature.
References
|
| CVE-2023-42793 | JetBrains TeamCity Authentication Bypass Vulnerability | primary_impact | T1059.003 | Windows Command Shell |
Comments
This vulnerability is exploited through an authentication bypass in JetBrains TeamCity, allowing remote attackers with HTTP(S) access to perform unauthorized remote code execution. This vulnerability enables attackers to gain administrative control of the TeamCity server and execute cmd.exe for various malicious activities, including downloading and executing harmful files.
References
|
| CVE-2023-27532 | Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability | primary_impact | T1059.003 | Windows Command Shell |
Comments
CVE-2023-27532 is a vulnerability in their backup & replication servers exposed online which allows unauthenticated users to request encrypted credentials. Public reporting has indicated that various ransomware groups have exploited vulnerability to gain access and crash the backup infrastructure hosts, extract stored encrypted credentials, and deploy additional tools.
References
|
| CVE-2021-40449 | Microsoft Windows Win32k Privilege Escalation Vulnerability | secondary_impact | T1059.003 | Windows Command Shell |
Comments
This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities.
The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.
References
|