Try it using Invoke-Atomic

Command and Scripting Interpreter: Windows Command Shell

Description from ATT&CK

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.(Citation: SSH in Windows)

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Create and Execute Batch Script

Creates and executes a simple batch script. Upon execution, CMD will briefly launh to run the batch script then close again.

Supported Platforms: windows

auto_generated_guid: 9e8894c0-50bd-4525-a96c-d4ac78ece388

Inputs:

Name Description Type Default Value
command_to_execute Command to execute within script. string dir
script_path Script path. path $env:TEMP\T1059.003_script.bat

Attack Commands: Run with powershell!

1
2
Start-Process #{script_path}

Cleanup Commands:

1
2
Remove-Item #{script_path} -Force -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Batch file must exist on disk at specified location (#{script_path})

Check Prereq Commands:

1
2
if (Test-Path #{script_path}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
New-Item #{script_path} -Force | Out-Null
Set-Content -Path #{script_path} -Value "#{command_to_execute}"

source