Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows) Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems. Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.
Atomic Test #3 - Suspicious Execution via Windows Command Shell
Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing
Atomic Test #5 - Command Prompt read contents from CMD file and execute
Atomic Test #6 - Command prompt writing script to file then executes it
Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again.
Supported Platforms: Windows
auto_generated_guid: 9e8894c0-50bd-4525-a96c-d4ac78ece388
| Name | Description | Type | Default Value | |——|————-|——|—————| | command_to_execute | Command to execute within script. | string | dir| | script_path | Script path. | path | PathToAtomicsFolder\..\ExternalPayloads\T1059.003_script.bat|
1
powershell
1
Start-Process "#{script_path}"
1
Remove-Item "#{script_path}" -Force -ErrorAction Ignore
1
powershell
1
if (Test-Path "#{script_path}") {exit 0} else {exit 1}
1
2
New-Item "#{script_path}" -Force | Out-Null
Set-Content -Path "#{script_path}" -Value "#{command_to_execute}"
Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk.
Supported Platforms: Windows
auto_generated_guid: 127b4afe-2346-4192-815c-69042bec570e
| Name | Description | Type | Default Value | |——|————-|——|—————| | file_contents_path | Path to the file that the command prompt will drop. | path | %TEMP%\test.bin| | message | Message that will be written to disk and then displayed. | string | Hello from the Windows Command Prompt!|
1
command_prompt
echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}"
del "#{file_contents_path}" >nul 2>&1
Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary.
Supported Platforms: Windows
auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | File to output to | string | hello.txt| | input_message | Message to write to file | string | Hello, from CMD!|
1
command_prompt
%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}
This test attempts to open a file a specified number of times in Wordpad, then prints the contents. It is designed to mimic BlackByte ransomware’s print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. See https://redcanary.com/blog/blackbyte-ransomware/.
Supported Platforms: Windows
auto_generated_guid: 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
| Name | Description | Type | Default Value | |——|————-|——|—————| | file_to_print | File to be opened/printed by Wordpad. | string | PathToAtomicsFolder\..\ExternalPayloads\T1059_003note.txt| | max_to_print | The maximum number of Wordpad windows the test will open/print. | integer | 75|
1
powershell
1
cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null
1
stop-process -name wordpad -force -erroraction silentlycontinue
1
powershell
1
if (test-path "#{file_to_print}"){exit 0} else {exit 1}
1
new-item "#{file_to_print}" -value "This file has been created by T1059.003 Test 4" -Force | Out-Null
Simulate Raspberry Robin using the “standard-in” command prompt feature cmd 1
/R <
Supported Platforms: Windows
auto_generated_guid: df81db1b-066c-4802-9bc8-b6d030c3ba8e
| Name | Description | Type | Default Value | |——|————-|——|—————| | input_file | CMD file that is read by Command Prompt and execute, which launches calc.exe | path | PathToAtomicsFolder\T1059.003\src\t1059.003_cmd.cmd|
1
command_prompt
cmd /r cmd<"#{input_file}"
1
powershell
1
if (Test-Path "#{input_file}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "#{input_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1059.003/src/t1059.003_cmd.cmd" -OutFile "#{input_file}"
Simulate DarkGate malware’s second stage by writing a VBscript to disk directly from the command prompt then executing it. The script will execute ‘whoami’ then exit.
Supported Platforms: Windows
auto_generated_guid: 00682c9f-7df4-4df8-950b-6dcaaa3ad9af
| Name | Description | Type | Default Value | |——|————-|——|—————| | script_path | Path in which the script will be written. | path | %TEMP%\| | script_name | Script name (without the extension) | string | AtomicTest|
1
command_prompt
c:\windows\system32\cmd.exe /c cd /d #{script_path} & echo Set objShell = CreateObject("WScript.Shell"):Set objExec = objShell.Exec("whoami"):Set objExec = Nothing:Set objShell = Nothing > #{script_name}.vbs & #{script_name}.vbs
del "#{script_name}.vbs" >nul 2>&1