Windows Command Shell
Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems. Adversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.
Observed actors
G0082Indrik Spider
G0119GALLIUM
G0093APT3
G0022Kimsuky
G0094TA577
G1037admin@338
G0018Volt Typhoon
G1017Patchwork
G0040APT41
G0096Dragonfly
G0035Gorgon Group
G0078menuPass
G0045APT32
G0050HAFNIUM
G0125MuddyWater
G0069FIN6
G0037Gamaredon Group
G0047TeamTNT
G0139FIN7
G0046Sandworm Team
G0034Machete
G0095APT18
G0026Mustang Panda
G0129ZIRCONIUM
G0128APT37
G0067OilRig
G0049Higaisa
G0126Tropic Trooper
G0081Suckfly
G0039Aquatic Panda
G0143Ke3chang
G0004Saint Bear
G1031APT1
G0006Leviathan
G0065Blue Mockingbird
G0108Winter Vivern
G1035Turla
G0010TA505
G0092RedCurl
G1039APT29
G0016Dark Caracal
G0070Cinnamon Tempest
G1021Chimera
G0114BRONZE BUTLER
G0060TA551
G0127Darkhotel
G0012Ember Bear
G1003LazyScripter
G0140ToddyCat
G1022Agrius
G1030APT28
G0007Metador
G1013APT5
G1023Fox Kitten
G0117Lazarus Group
G0032INC Ransom
G1032Silence
G0091Sowbug
G0054Threat Group-1314
G0028Cobalt Group
G0080Wizard Spider
G0102Play
G1040Rancor
G0075Magic Hound
G0059Threat Group-3390
G0027FIN10
G0051FIN8
G0061FIN13
G1016Nomadic Octopus
G0133
Correlated CTI and IR reports
Israel Threat Actors CTI · explicit report mentionAPT39 (Chafer / Remix Kitten)
Israel Threat Actors CTI · explicit report mentionATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionFrom Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mentionOilRig (APT34 / Helix Kitten / Earth Simnavaz etc)
Israel Threat Actors CTI · explicit report mentionATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mentionCTI Research MuddyWater Seedworm Mango Sandstorm
1200km Medium · authored report mentionFrom Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mention