1. Home
  2. Software
  3. cmd

cmd

cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [1]

Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [2]), deleting files (e.g., del [3]), and copying files (e.g., copy [4]).

ID: S0106
Associated Software: cmd.exe
Type: TOOL
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 13 October 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

cmd is used to execute programs and other actions at the command-line interface.[1]
Enterprise T1083 文件和目录发现

cmd can be used to find files and directories with native functionality such as dir commands.[2]
Enterprise T1570 横向工具传输

cmd can be used to copy files to/from a remotely connected internal system.[4]
Enterprise T1070 .004 移除指标: File Deletion

cmd can be used to delete files from the file system.[3]
Enterprise T1082 系统信息发现

cmd can be used to find information about the operating system.[2]
Enterprise T1105 输入工具传输

cmd can be used to copy files to/from a remotely connected external system.[4]

Groups That Use This Software

ID Name References
G0093 GALLIUM

[5][6]
G0060 BRONZE BUTLER

[7]
G0026 APT18

[8]
G0045 menuPass

[9]
G0071 Orangeworm

[10]
G1017 Volt Typhoon

[11]

Campaigns

ID Name Description
C0006 Operation Honeybee

[12]

References

  1. Microsoft. (n.d.). Cmd. Retrieved April 18, 2016.
  2. Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
  3. Microsoft. (n.d.). Del. Retrieved April 22, 2016.
  4. Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
  5. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  6. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  1. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  2. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
  3. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  4. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  5. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  6. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.