T1059.003 Windows Command Shell Mappings

Adversaries may abuse the Windows command shell for execution. The Windows command shell (<code>cmd.exe</code>) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may leverage <code>cmd.exe</code> to execute various commands and payloads. Common uses include <code>cmd.exe /c</code> to execute a single command, or abusing <code>cmd.exe</code> interactively with input and output forwarded over a command and control channel.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-7 Least Functionality Protects T1059.003 Windows Command Shell
SI-10 Information Input Validation Protects T1059.003 Windows Command Shell
SI-7 Software, Firmware, and Information Integrity Protects T1059.003 Windows Command Shell
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1059.003 Windows Command Shell
azure_sentinel Azure Sentinel technique_scores T1059.003 Windows Command Shell