Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.(Citation: SSH in Windows)
Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1059.003 | Windows Command Shell | |
| AC-17 | Remote Access | mitigates | T1059.003 | Windows Command Shell | |
| SI-16 | Memory Protection | mitigates | T1059.003 | Windows Command Shell | |
| SI-10 | Information Input Validation | mitigates | T1059.003 | Windows Command Shell | |
| SI-03 | Malicious Code Protection | mitigates | T1059.003 | Windows Command Shell | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1059.003 | Windows Command Shell | |
| CM-02 | Baseline Configuration | mitigates | T1059.003 | Windows Command Shell | |
| SI-04 | System Monitoring | mitigates | T1059.003 | Windows Command Shell | |
| AC-02 | Account Management | mitigates | T1059.003 | Windows Command Shell | |
| AC-03 | Access Enforcement | mitigates | T1059.003 | Windows Command Shell | |
| AC-06 | Least Privilege | mitigates | T1059.003 | Windows Command Shell |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1059.003 | Windows Command Shell | |
| action.malware.variety.In-memory | (malware never stored to persistent storage) | related-to | T1059.003 | Windows Command Shell |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1059.003 | Windows Command Shell |
Comments
The Microsoft Sentinel Hunting "Cscript script daily summary breakdown" can detect potentially malicious scripting. The Microsoft Sentinel Hunting "Hosts running a rare process with commandline" query can identify uncommon command shell usage that may be malicious.
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which has modules for executing Windows Command Shell scripts. The Microsoft Sentinel Analytics "Base64 encoded Windows process command-lines" query can identify Base64 encoded PE files being launched via the command line.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1059.003 | Windows Command Shell |
Comments
This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: "Detected anomalous mix of upper and lower case characters in command-line", "Detected encoded executable in command line data", "Detected obfuscated command line", "Detected suspicious combination of HTA and PowerShell", "Detected suspicious commandline arguments", "Detected suspicious commandline used to start all executables in a directory", "Detected suspicious credentials in commandline", "Dynamic PS script construction", "Suspicious PowerShell Activity Detected", "Suspicious PowerShell cmdlets executed", "Suspicious command execution".
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1059.003 | Windows Command Shell |
Comments
Google Security Ops is able to trigger an alert based on suspicious behavior seen in the Windows command line.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral
References
|