# T1059.003 Windows Command Shell

-----------------------------------------------------------------------

## Technique Description

Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.

## Technique Detection

Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

-----------------------------------------------------------------------

### Tactics:

  *   Execution

### Platforms:

  * Windows

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Command:** Command Execution

  * **Process:** Process Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) has attempted and failed to run Bash commands on a Windows host by passing them to <code>cmd /C</code>.(Citation: CrowdStrike AQUATIC PANDA December 2021)| 
| LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) has used batch files to deploy open-source and multi-stage RATs.(Citation: MalwareBytes LazyScripter Feb 2021)| 
| TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has used batch scripts to download tools and executing cryptocurrency miners.(Citation: ATT TeamTNT Chimaera September 2020)| 
| Nomadic Octopus | [Nomadic Octopus](https://attack.mitre.org/groups/G0133) used <code>cmd.exe /c</code> within a malicious macro.(Citation: ESET Nomadic Octopus 2018)| 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has executed HTA files via cmd.exe, and used batch scripts for collection.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Avira Mustang Panda January 2020)| 
| ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used a tool to open a Windows Command Shell on a remote host.(Citation: Zscaler APT31 Covid-19 October 2020)| 
| TA551 | [TA551](https://attack.mitre.org/groups/G0127) has used <code>cmd.exe</code> to execute commands.(Citation: Unit 42 TA551 Jan 2021)| 
| Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) used <code>cmd.exe</code> for execution.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)| 
| Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has used batch scripts on victim's machines.(Citation: Crowdstrike Indrik November 2018) | 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) used <code>cmd.exe</code> to execute commands on remote machines.(Citation: Volexity SolarWinds)(Citation: Microsoft Analyzing Solorigate Dec 2020)| 
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used cmd.exe likely as a password changing mechanism.(Citation: CISA AA20-259A Iran-Based Actor September 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has spawned a new <code>cmd.exe</code> process to execute commands.(Citation: FoxIT Wocao December 2019)	 | 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used the Windows Command Shell and batch scripts for execution on compromised hosts.(Citation: NCC Group Chimera January 2021)| 
| Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used batch script files to automate execution and deployment of payloads.(Citation: RedCanary Mockingbird May 2020)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used cmd.exe to execute commands on a victim's machine.(Citation: DFIR Ryuk's Return October 2020)| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has run a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line.(Citation: Talos Frankenstein June 2019)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) used <code>cmd.exe /c</code> to execute commands on remote machines.(Citation: FireEye APT41 Aug 2019)
[APT41](https://attack.mitre.org/groups/G0096) used a batch file to install persistence for the [Cobalt Strike](https://attack.mitre.org/software/S0154) BEACON loader.(Citation: FireEye APT41 March 2020)| 
| Machete | [Machete](https://attack.mitre.org/groups/G0095) has used batch files to initiate additional downloads of malicious files.(Citation: 360 Machete Sep 2020)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has executed Windows commands by using `cmd` and running batch scripts.(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)| 
| GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used the Windows command shell to execute commands.(Citation: Cybereason Soft Cell June 2019)| 
| TA505 | [TA505](https://attack.mitre.org/groups/G0092) has executed commands using <code>cmd.exe</code>.(Citation: Trend Micro TA505 June 2019)| 
| Silence | [Silence](https://attack.mitre.org/groups/G0091) has used Windows command-line to run commands.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)| 
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.(Citation: FireEye APT38 Oct 2018)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used Windows command scripts.(Citation: TrendMicro Tropic Trooper May 2020)	| 
| Rancor | [Rancor](https://attack.mitre.org/groups/G0075) has used cmd.exe to execute commmands.(Citation: Rancor Unit42 June 2018)| 
| Honeybee | Several commands are supported by the [Honeybee](https://attack.mitre.org/groups/G0072)'s implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint.(Citation: McAfee Honeybee) [Honeybee](https://attack.mitre.org/groups/G0072) used batch scripting.(Citation: McAfee Honeybee)| 
| Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.(Citation: Morphisec Cobalt Gang Oct 2018) The group has used an exploit toolkit known as Threadkit that launches .bat files.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)| 
| Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups/G0070) has used macros in Word documents that would download a second stage if executed.(Citation: Lookout Dark Caracal Jan 2018)| 
| Gorgon Group | [Gorgon Group](https://attack.mitre.org/groups/G0078) malware can use cmd.exe to download and execute payloads and to execute commands on the system.(Citation: Unit 42 Gorgon Group Aug 2018)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used a custom tool for creating reverse shells.(Citation: Symantec MuddyWater Dec 2018)| 
| APT37 | [APT37](https://attack.mitre.org/groups/G0067) has used the command-line interface.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)| 
| FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used a Batch file to automate frequently executed post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) [FIN8](https://attack.mitre.org/groups/G0061) has also executed commands remotely via [cmd](https://attack.mitre.org/software/S0106).(Citation: FireEye Obfuscation June 2017)(Citation: Bitdefender FIN8 July 2021)| 
| Sowbug | [Sowbug](https://attack.mitre.org/groups/G0054) has used command line during its intrusions.(Citation: Symantec Sowbug Nov 2017)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used the command-line interface.(Citation: Unit 42 Magic Hound Feb 2017)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used batch scripts and the command-line interface for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used cmd.exe for execution.(Citation: Cybereason Cobalt Kitty 2017) | 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used macros to deliver malware such as [QUADAGENT](https://attack.mitre.org/software/S0269) and [OopsIE](https://attack.mitre.org/software/S0264).(Citation: FireEye APT34 Dec 2017)(Citation: OilRig ISMAgent July 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Nov 2018) [OilRig](https://attack.mitre.org/groups/G0049) has used batch scripts.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig ISMAgent July 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Nov 2018)| 
| FIN10 | [FIN10](https://attack.mitre.org/groups/G0051) has executed malicious .bat files containing PowerShell commands.(Citation: FireEye FIN10 June 2017)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used various batch scripts to establish C2 and download additional files. [Gamaredon Group](https://attack.mitre.org/groups/G0047)'s backdoor malware has also been written to a batch file.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Unit 42 Gamaredon February 2022)| 
| FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) used the command prompt to launch commands on the victim’s machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019) | 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.(Citation: PWC Cloud Hopper April 2017)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Github AD-Pentest-Script)(Citation: FireEye APT10 Sept 2018) [menuPass](https://attack.mitre.org/groups/G0045) has used malicious macros embedded inside Office documents to execute files.(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)| 
| Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) ran a reverse shell with Meterpreter.(Citation: Cymmetria Patchwork) [Patchwork](https://attack.mitre.org/groups/G0040) used JavaScript code and .SCT files on victim machines.(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)| 
| Suckfly | Several tools used by [Suckfly](https://attack.mitre.org/groups/G0039) have been command-line driven.(Citation: Symantec Suckfly May 2016)| 
| FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used <code>kill.bat</code> script to disable security tools.(Citation: FireEye FIN6 Apr 2019)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has used various types of scripting to perform operations, including batch scripts.(Citation: US-CERT TA18-074A)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has run the  <code>xp_cmdshell</code> command in MS-SQL.(Citation: Dragos Crashoverride 2018) | 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses cmd.exe to execute commands on a compromised host.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: US-CERT SHARPKNOT June 2018)(Citation: Qualys LolZarus) A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) uses a batch file mechanism to delete its binaries from the system.(Citation: McAfee GhostSecret)| 
| Threat Group-1314 | [Threat Group-1314](https://attack.mitre.org/groups/G0028) actors spawned shells on remote systems on a victim network to execute commands.(Citation: Dell TG-1314)| 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has used command-line interfaces for execution.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Unit42 Emissary Panda May 2019)| 
| APT18 | [APT18](https://attack.mitre.org/groups/G0026) uses cmd.exe to execute commands on the victim’s machine.(Citation: PaloAlto DNS Requests May 2016)(Citation: Anomali Evasive Maneuvers July 2015)| 
| APT3 | An [APT3](https://attack.mitre.org/groups/G0022) downloader uses the Windows command <code>"cmd.exe" /C whoami</code>. The group also uses a tool to execute commands on remote computers.(Citation: FireEye Operation Double Tap)(Citation: Symantec Buckeye)| 
| admin@338 | Following exploitation with [LOWBALL](https://attack.mitre.org/software/S0042) malware, [admin@338](https://attack.mitre.org/groups/G0018) actors created a file containing a list of commands to be executed on the compromised computer.(Citation: FireEye admin@338)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) used <code>cmd.exe</code> to execute commands on remote machines.(Citation: Volexity SolarWinds)(Citation: Microsoft Analyzing Solorigate Dec 2020)| 
| Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.(Citation: Securelist Darkhotel Aug 2015)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors have used cmd.exe to execute commands.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)| 
| APT28 | An [APT28](https://attack.mitre.org/groups/G0007) loader Trojan uses a cmd.exe and batch script to run its payload.(Citation: Unit 42 Playbook Dec 2017) The group has also used macros to execute payloads.(Citation: Talos Seduploader Oct 2017)(Citation: Unit42 Cannon Nov 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)| 
| APT1 | [APT1](https://attack.mitre.org/groups/G0006) has used the Windows command shell to execute commands, and batch scripting to automate execution.(Citation: Mandiant APT1)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has used batch scripts in its malware to install persistence mechanisms.(Citation: NCC Group APT15 Alive and Strong)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1059/003)

  * [Ssh In Windows](https://docs.microsoft.com/en-us/windows/terminal/tutorials/ssh), Microsoft. (2020, May 19). Tutorial: SSH in Windows Terminal. Retrieved July 26, 2021.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Information Here

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Information Here

## Analytical References

  * [Other references: All custom links should go here](example.lan)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

