T1059.003 Windows Command Shell Mappings

Adversaries may abuse the Windows command shell for execution. The Windows command shell (<code>cmd.exe</code>) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may leverage <code>cmd.exe</code> to execute various commands and payloads. Common uses include <code>cmd.exe /c</code> to execute a single command, or abusing <code>cmd.exe</code> interactively with input and output forwarded over a command and control channel.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-7 Least Functionality Protects T1059.003 Windows Command Shell
SI-10 Information Input Validation Protects T1059.003 Windows Command Shell
SI-7 Software, Firmware, and Information Integrity Protects T1059.003 Windows Command Shell
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1059.003 Windows Command Shell
Comments
This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: "Detected anomalous mix of upper and lower case characters in command-line", "Detected encoded executable in command line data", "Detected obfuscated command line", "Detected suspicious combination of HTA and PowerShell", "Detected suspicious commandline arguments", "Detected suspicious commandline used to start all executables in a directory", "Detected suspicious credentials in commandline", "Dynamic PS script construction", "Suspicious PowerShell Activity Detected", "Suspicious PowerShell cmdlets executed", "Suspicious command execution".
References
    azure_sentinel Azure Sentinel technique_scores T1059.003 Windows Command Shell
    Comments
    The Azure Sentinel Hunting "Cscript script daily summary breakdown" can detect potentially malicious scripting. The Azure Sentinel Hunting "Hosts running a rare process with commandline" query can identify uncommon command shell usage that may be malicious. The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which has modules for executing Windows Command Shell scripts. The Azure Sentinel Analytics "Base64 encoded Windows process command-lines" query can identify Base64 encoded PE files being launched via the command line.
    References