1. Home
  2. ATT&CK Techniques
  3. T1059.003 Windows Command Shell

T1059.003 Windows Command Shell Mappings

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.(Citation: SSH in Windows)

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel.

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.003 Command and Scripting Interpreter: Windows Command Shell
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1059.003 Command and Scripting Interpreter: Windows Command Shell
action.hacking.vector.Command shell Remote shell related-to T1059.003 Command and Scripting Interpreter: Windows Command Shell

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1059.003 Windows Command Shell
Comments
Google Security Ops is able to trigger an alert based on suspicious behavior seen in the Windows command line. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']