T1059.003: Windows Command Shell

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_collection: PT-CR-1012: Export_Certs: An attempt to export certificates or key containers mitre_attck_collection: PT-CR-1932: Copying_Files: Copying files and folders using xcopy and robocopy utilities, copy command, Copy-Item cmdlet mitre_attck_collection: PT-CR-500: Documents_Access_Via_Console: A user interacts with Office documents using cmd.exe or PowerShell mitre_attck_impact: PT-CR-501: Stop_Important_Service: Attempt to stop an important service mitre_attck_impact: PT-CR-497: Shadow_Copies_Deletion_With_Builtin_Tools: Detection of attempts to delete the shadow copies of data that is needed to restore Windows postgresql_database: PT-CR-1903: Subrule_PostgreSQL_Create_Process: Origination of subprocesses of a PostgreSQL database process postgresql_database: PT-CR-1902: PostgreSQL_File_System_Actions: The interaction of the PostgreSQL database with the file system may indicate reconnaissance or an attempt of an attacker to escalate privileges if this is not the standard integration of the database with external systems postgresql_database: PT-CR-1899: PostgreSQL_Code_Execution: Running a process under a database account may indicate an attempt of an attacker who gained the ability to execute queries to the database to escalate privileges sap_suspicious_user_activity: PT-CR-254: SAPASABAP_GW_Sapxpg_Call: SAPXPG run mitre_attck_cred_access: PT-CR-298: Access_System_Credential_Files_Via_Cmdline: An attempt to retrieve OS user credentials is detected mitre_attck_cred_access: PT-CR-299: LAPS_Enumeration: Search for users, groups, and computers with access to Microsoft LAPS (Local Administrator Password Solution). LAPS automatically manages the local administrator account password and backs up this password on devices connected to Active Directory services. mitre_attck_cred_access: PT-CR-567: ProcDump_Usage: A LSASS dump is generated using ProcDump mysql_database: PT-CR-617: MySQL_Code_Execution: Running a process under a database account may indicate an attempt of an attacker who gained the ability to execute queries to the database to escalate privileges mitre_attck_lateral_movement: PT-CR-1370: Remote_Execution_Via_Custom_Impacket: Lateral movement by executing code via the SMB protocol (using a utility based on the Impacket tool) mitre_attck_lateral_movement: PT-CR-787: RDP_Shadow_Session_Initiation: Startup of mstsc.exe with the /shadow flag to establish a shadow RDP connection is detected mitre_attck_lateral_movement: PT-CR-1374: Impacket_Like_Execution: Script execution patterns based on the Impacket tool are detected mitre_attck_lateral_movement: PT-CR-227: RDP_Session_Hijacking: Startup of "tscon" for RDP session hijacking is detected mssql_database: PT-CR-423: MSSQL_System_Command_Usage: An attempt to execute a system command using a stored procedure hacking_tools: PT-CR-369: Mimikatz_Command: Possible use of the Mimikatz software is detected hacking_tools: PT-CR-586: Metasploit_Payload: Possible use of a Metasploit payload is detected hacking_tools: PT-CR-2799: Rubeus_Non_Cmdline_Usage: Usage of the Rubeus tool for attacks on the Kerberos protocol hacking_tools: PT-CR-2636: Invoke_Rubeus_Usage: The AS-REP Roasting or Kerberoasting technique was used by injecting a payload into a PowerShell process memory. This may indicate the use of the Invoke-Rubeus malware (an obfuscated version of Rubeus that uses a payload encoded in Base64). hacking_tools: PT-CR-588: Windows_Hacktool_Usage: Possible use of security analysis tools for Windows systems is detected hacking_tools: PT-CR-2688: Covenant_Launcher_Start: A Covenant launcher was started using InstallUtil or PowerShell, followed by a suspicious TCP connection to another host hacking_tools: PT-CR-370: NetCat_Usage: Possible use of the NetCat, Socat, and Powercat software is detected hacking_tools: PT-CR-374: Sliver_Shell_Usage: Possible use of the Sliver Shell software is detected hacking_tools: PT-CR-840: SharpKatz_Usage: The signs of SharpKatz software usage are detected hacking_tools: PT-CR-2562: Subrule_Cobalt_Strike_RunDLL32: The rundll32.exe process was started with no arguments and connected to a remote host. This may indicate Cobalt Strike activity. hacking_tools: PT-CR-1852: PPLBlade_Cmdline: Possible usage of PPLBlade to obfuscate an LSASS process memory dump hacking_tools: PT-CR-373: SharpWMI_Usage: Possible use of the SharpWMI software is detected hacking_tools: PT-CR-2637: Subrule_Invoke_Rubeus_Usage: Possible use of PowerShell functions to inject payload into process memory. This may indicate the use of the Invoke-Rubeus malware (an obfuscated version of Rubeus that uses a payload encoded in Base64). hacking_tools: PT-CR-371: Rubeus_Usage: Possible use of the Rubeus software is detected hacking_tools: PT-CR-759: SharpMapExec_Usage: Possible use of SharpMapExec is detected hacking_tools: PT-CR-839: SharPersist_Usage: Possible usage of the SharPersist utility is detected hacking_tools: PT-CR-372: SharpSploit_Usage: Possible use of the SharpSploit software is detected hacking_tools: PT-CR-2690: Covenant_Shellcmd_Usage: A command was executed in the Windows command prompt using Covenant hacking_tools: PT-CR-2134: SharpToken_Usage: SharpToken was used. This tool can find leaked tokens from all processes in the system and exploit them. If attackers accessed a low-privileged account, they can use this tool to upgrade to "NT AUTHORITY\SYSTEM" privileges. SharpToken can also be used to capture interactive user sessions. mitre_attck_defense_evasion: PT-CR-338: MSXSL_AWL_Bypass: An attempt to bypass application-start restrictions by using msxsl.exe (a Microsoft Windows command-line XSL transformation utility) mitre_attck_defense_evasion: PT-CR-197: RegAsm_Or_RegSvcs_AWL_Bypass: An attempt to bypass application-start restrictions by using regasm.exe (Microsoft Windows assembly registration tool) or regsvcs.exe (Microsoft Windows .NET service installation tool) mitre_attck_defense_evasion: PT-CR-199: Rundll32_AWL_Bypass: An attempt to bypass application-start restrictions by using rundll32.exe (a built-in Microsoft Windows utility used to execute DDL files) mitre_attck_defense_evasion: PT-CR-337: Msiexec_AWL_Bypass: An attempt to bypass application-start restrictions by using msiexec.exe (a built-in Microsoft Windows utility used to execute MSI files) mitre_attck_defense_evasion: PT-CR-1861: Firewall_Modify: Attempt to change the Windows firewall configuration mitre_attck_defense_evasion: PT-CR-194: Csc_AWL_Bypass: An attempt to bypass application-start restrictions by using csc.exe (a built-in Microsoft Windows utility used by .NET to compile C# code) mitre_attck_defense_evasion: PT-CR-454: Dnscmd_AWL_Bypass: An attempt to bypass application-start restrictions by using the built-in Microsoft Windows utility dnscmd.exe (a command-line interface for managing DNS servers) mitre_attck_defense_evasion: PT-CR-201: Cmstp_AWL_Bypass: An attempt to bypass User Account Control (UAC) or application-start restrictions by using cmstp.exe (a built-in Microsoft Windows utility that installs or removes Connection Manager service profiles) mitre_attck_defense_evasion: PT-CR-940: SharpEventPersist_Usage: Starting the SharpEventPersist utility to gain persistence in a system is detected mitre_attck_defense_evasion: PT-CR-456: Odbcconf_AWL_Bypass: An attempt to bypass application-start restrictions by using odbcconf.exe (a built-in Microsoft Windows utility used for managing ODBC connections) mitre_attck_defense_evasion: PT-CR-1776: Browser_LOLBin: A process was started using trusted software mitre_attck_defense_evasion: PT-CR-652: WDAC_Bypass_Via_Dbgsrv: A user started an application debugger mitre_attck_defense_evasion: PT-CR-198: Regsvr32_AWL_Bypass: An attempt to bypass application-start restrictions by using regsvr32.exe (a built-in Microsoft Windows utility used for DDL registration) mitre_attck_defense_evasion: PT-CR-196: MSBuild_AWL_Bypass: An attempt to bypass application-start restrictions by using msbuild.exe (a .NET Framework utility used to compile and execute code) mitre_attck_defense_evasion: PT-CR-208: XSL_Script_WMIC_Execution: An attempt to run XSL scripts using "wmic" is detected mitre_attck_defense_evasion: PT-CR-195: InstallUtil_AWL_Bypass: An attempt to bypass application-start restrictions by using installutil.exe (a Microsoft Windows command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies) mitre_attck_defense_evasion: PT-CR-204: MSHTA_AWL_Bypass: An attempt to bypass application-start restrictions by using mshta.exe (a built-in Microsoft Windows utility that executes HTML applications (.hta)) mitre_attck_defense_evasion: PT-CR-457: Pcalua_AWL_Bypass: An attempt to bypass application-start restrictions by using Microsoft Windows pcalua.exe (Program Compatibility Assistant) mitre_attck_defense_evasion: PT-CR-455: Mavinject_AWL_Bypass: An attempt to bypass application-start restrictions by using mavinject.exe (a built-in utility that serves as the Microsoft Application Virtualization Injector within App-V) mitre_attck_defense_evasion: PT-CR-603: IEExec_AWL_Bypass: An attempt to bypass application-start restrictions by using ieexec.exe (an undocumented Microsoft .NET Framework application that can be used as a host to run other managed applications that you start by using a URL) mitre_attck_defense_evasion: PT-CR-203: BitsJob_Download_And_Run: An attempt to download or start an application using Microsoft Windows "bitsadmin" is detected mitre_attck_defense_evasion: PT-CR-1088: Devinit_AWL_Bypass: An attempt to bypass application-start restrictions by using devinit.exe (a utility included in the Microsoft Visual Studio SDK) mitre_attck_defense_evasion: PT-CR-946: Suspicious_Execution_Via_Regsvr32: An attempt to bypass application-start restrictions by using regsvr32.exe (a built-in Microsoft Windows utility used for DDL registration) mitre_attck_defense_evasion: PT-CR-938: PowerShell_CLM_Bypass: An attempt to bypass PowerShell Constrained Language mitre_attck_command_and_control: PT-CR-609: Download_File_Through_Windows_Defender: An attempt to download a file with Windows Defender is detected microsoft_mecm: PT-CR-1860: MECM_SharpSCCM: Using SharpSCCM to search for sensitive information about MECM clients it_bastion: PT-CR-2184: SKDPUNT_Blacklisted_Command: A blacklisted command is executed it_bastion: PT-CR-2171: SKDPUNT_Suspicious_Command: A user executed a potentially dangerous command it_bastion: PT-CR-2177: SKDPUNT_Potentially_Dangerous_Command: Potentially dangerous commands are used mitre_attck_execution: PT-CR-339: Subrule_Script_Files_Execution: A user started a script mitre_attck_execution: PT-CR-1962: Remote_Registry_Enable: Possible start of the Remote Registry service to remotely change the values of Windows registry keys, which can be used for lateral movement mitre_attck_execution: PT-CR-954: Tttracer_LOLBin: Bypassing protection with tttracer.exe mitre_attck_execution: PT-CR-223: Code_Execution_Via_JDK_Tools: An attempt to execute code using the Java toolkit is detected mitre_attck_execution: PT-CR-207: Suspicious_Wmic_Command: An attempt to use "wmic" for suspicious activity is detected mitre_attck_execution: PT-CR-2300: Windows_Path_Traversal: Attempted Path Traversal attack. This attack on the Windows command line allows the attacker to access arbitrary files and directories stored on the file system. mitre_attck_execution: PT-CR-2459: Dump_Bitlocker_Keys_From_Host: The manage-bde utility or Get-BitLockerVolume cmdlet is used to gain information about the volumes encrypted using BitLocker as well as the recovery keys. An attacker can use this information to decrypt the protected data. mitre_attck_execution: PT-CR-1089: DotNetToJScript_Usage: Possible usage of the DotNetToJscript utility is detected mitre_attck_execution: PT-CR-209: Execute_Suspicious_Command_Via_Cmd: The "Cmd" process was started with potentially dangerous arguments mitre_attck_execution: PT-CR-340: Execute_Malicious_Command: An attempt to execute a potentially dangerous command is detected mitre_attck_execution: PT-CR-1756: PowerShdll_Usage: The PowerShdll utility was started mitre_attck_execution: PT-CR-2707: Execute_File_From_Sysvol_Share: A process or script was started from one of the following subdirectories of the Sysvol network share: Startup, Shutdown, Logon, Logoff, or Scripts. These subdirectories are used for storing executables and script files required for managing group policies and other settings in Active Directory. This could be an attacker's attempt to gain persistence in the system. mitre_attck_execution: PT-CR-645: Recon_Via_Webserver_Process: A user started a process from a parent process mitre_attck_execution: PT-CR-602: Finger_AWL_Bypass: An attempt to bypass application-start restrictions by using finger.exe (a built-in Microsoft Windows utility that displays information about users on a specified remote computer that is running the finger service) mitre_attck_execution: PT-CR-316: LOLBin_Copying: An attempt to copy a system application is detected mitre_attck_execution: PT-CR-2810: Script_Files_Execution: A user started a script using a process that accessed an external address, started a child process, changed a registry key to gain persistence in the infrastructure, gained access to another process, or created a remote thread in another process mitre_attck_execution: PT-CR-342: Schtasks_Commandline: A scheduled task was managed using the command line or PowerShell mitre_attck_persistence: PT-CR-271: Service_Created_Or_Modified: An attempt to perform operations on Microsoft Windows services using the command line or PowerShell is detected mitre_attck_persistence: PT-CR-568: IIS_Module_Filter_Installation: An extension module or filter was installed in Internet Information Services. An attacker can listen, modify, or redirect network traffic, as well as gain persistence in the system or execute malicious code on other hosts. mitre_attck_persistence: PT-CR-264: Add_New_User_In_Commandline: An attempt to create an account using the command line or PowerShell is detected pt_application_firewall: PT-CR-1915: PTAF_Hacktool_Detected: PT AF detected signs of a hacking tool being used pt_application_firewall: PT-CR-1906: PTAF_Command_Injection_Detected: PT AF detected OS command injection

Detection

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may abuse the Windows command shell for execution. Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that may abuse the Windows command shell for execution.

Note: Try an Analytic by creating a baseline of parent processes of cmd seen over the last 30 days and a list of parent processes of cmd seen today. Parent processes in the baseline are removed from the set of parent processes seen today, leaving a list of new parent processes. This analytic attempts to identify suspicious programs spawning cmd by looking for programs that do not normally create cmd.  It is very common for some programs to spawn cmd as a subprocess, for example to run batch files or Windows commands. However, many processes don’t routinely launch a command prompt - e.g., Microsoft Outlook. A command prompt being launched from a process that normally doesn’t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one.

Analytic 1 - Unusual Command Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine=“cmd.exe” AND (CommandLine REGEXP "./c." OR CommandLine REGEXP ".._ /k.*")

Mitigation

IDM1038NameExecution PreventionDescription

Use application control where appropriate.