Windows Command Shell

The Windows Command Shell, also known as cmd.exe or the Command Prompt, is a fundamental component of the Windows operating system. It provides users and administrators with the ability to execute commands, run scripts, and manage system resources. Cyber adversaries frequently exploit the Windows Command Shell for malicious purposes, leveraging its capabilities to compromise systems, elevate privileges, move laterally within networks, maintain persistence, and exfiltrate data.

Command Execution

Attackers leverage cmd.exe to directly execute malicious commands on a target system, allowing them to manipulate system settings, launch programs, or interact with system files. This capability provides attackers with a versatile tool for conducting a wide range of malicious activities.

User Account Manipulation

  • net user: Create or modify user accounts. Attackers can use this command to establish new backdoor accounts with administrative privileges, allowing them to regain access even if their primary account is discovered and disabled. They can also modify existing accounts to escalate privileges, such as changing the password of an existing privileged account.

  • net localgroup: Add or remove users from local groups. Attackers can add themselves or other malicious accounts to privileged groups like Administrators or Remote Desktop Users, granting them elevated access to the system and potentially to other systems in the network.

  • net accounts: Modify password and logon requirements for all accounts. Attackers can weaken security policies by setting longer maximum password ages, reducing the frequency of required password changes, or disabling password complexity requirements.

Network Information Gathering

  • netstat: Display network connections, routing tables, and interface statistics. Attackers can use this command to identify active network connections and open ports, helping them map out the network and find potential targets for further exploitation.

  • ipconfig: Display network configuration details. Attackers can discover network interfaces, IP addresses, subnet masks, and default gateways, which can help them understand the network topology and identify potential points of entry or targets for lateral movement.

  • arp: Display or modify the ARP cache. Attackers can use this command to identify devices on the local network by their IP and MAC addresses. They can also manipulate the ARP cache to perform man-in-the-middle attacks.

  • nslookup: Query DNS to obtain domain name or IP address mapping. Attackers can gather domain name information and identify the IP addresses of critical servers, such as domain controllers or mail servers, which can be targeted for further attacks.

  • ping: Test the reachability of a host. Attackers can check if a target system is online and measure the round-trip time for messages sent to the destination, helping them identify active hosts and network latency.

  • tracert: Trace the route packets take to a network host. Attackers can map the path to a target system, identifying intermediate routers and potential network choke points that can be targeted for disruption or further reconnaissance.

Registry Modification

  • reg add: Add a new registry entry. Attackers can create malicious registry entries that run malware or scripts upon system startup, ensuring persistence. They can also modify existing entries to change system configurations.

  • reg delete: Delete a registry entry. Attackers can remove security-related registry entries, such as those enabling antivirus software or logging, to weaken the system's defenses and cover their tracks.

  • reg query: Query the contents of the registry. Attackers can gather information about installed software, system configurations, and user settings, which can help them identify vulnerabilities and tailor their attacks.

  • reg save: Save a copy of specified subkeys, entries, and values of the registry in a specified file. Attackers can extract sensitive information, such as hashed passwords stored in the SAM hive, which can be cracked offline to obtain plaintext passwords.

Altering Service Configurations

  • sc config: Configure service startup types. Attackers can ensure that malicious services or programs are executed automatically upon system startup, maintaining persistence even after a system reboot.

  • sc create: Create a new service. Attackers can create malicious services that run their payloads with elevated privileges, allowing them to maintain control over the system.

  • sc delete: Delete a service. Attackers can remove security services, such as antivirus or intrusion detection systems, to weaken the system's defenses and avoid detection.

Modifying Firewall Rules

  • netsh advfirewall firewall add rule: Add a new firewall rule. Attackers can create rules that allow their malicious traffic through the firewall, bypassing network security controls and facilitating data exfiltration or command-and-control communications.

  • netsh advfirewall firewall delete rule: Delete an existing firewall rule. Attackers can remove rules that block their traffic, ensuring their activities are not hindered by firewall policies.

  • netsh advfirewall set allprofiles state off: Disable the firewall. Attackers can disable the firewall entirely, reducing network security and making it easier to communicate with remote command-and-control servers or exfiltrate data.

Clearing Event Logs

  • wevtutil cl: Clear event logs. Attackers can remove evidence of their activities by clearing event logs, making it more difficult for defenders to investigate and respond to the attack.

  • eventcreate: Create a custom event in the event log. Attackers can create misleading logs to confuse investigators, making it harder to reconstruct the sequence of malicious activities.

File Manipulation

  • copy: Copy files from one location to another. Attackers can plant malicious files in strategic locations, such as startup folders, to ensure they are executed automatically.

  • move: Move files from one location to another. Attackers can relocate files to obscure their presence, making it harder for defenders to find and analyze them.

  • del: Delete files. Attackers can remove evidence of their activities by deleting logs, payloads, or other incriminating files.

  • ren: Rename files. Attackers can disguise malicious files by renaming them to appear benign, reducing the likelihood of detection by users or security software.

  • xcopy: Copy files and directories, including subdirectories. Attackers can replicate malicious files across the system or network, ensuring widespread infection and persistence.

Changing File Attributes

  • attrib: Change file attributes (e.g., hidden, read-only). Attackers can make files less likely to be discovered by setting them as hidden or read-only, preventing users and some security software from easily accessing or modifying them.

Modifying Permissions

  • icacls: Modify file and folder permissions. Attackers can ensure their files are accessible only to them by setting restrictive permissions, or they can grant themselves access to critical files and directories.

  • takeown: Take ownership of files and directories. Attackers can take control of files to modify or delete them, bypassing existing ownership and permission restrictions.

System Information Gathering

  • systeminfo: Display detailed system information. Attackers can gather information about the OS, hardware, and installed patches, helping them identify potential vulnerabilities and tailor their attacks.

  • tasklist: List all running processes. Attackers can identify potentially vulnerable applications or services, as well as security software that might be running.

  • driverquery: List all installed drivers. Attackers can identify potential vulnerabilities in drivers, which can be exploited to gain elevated privileges or execute arbitrary code.

  • hostname: Display the hostname of the machine. Attackers can identify the target system, which can be useful for network mapping and targeting specific machines.

  • whoami: Display the current username and domain. Attackers can confirm their current privilege level and determine if they need to escalate privileges further.

Process Manipulation

  • taskkill: Terminate running processes. Attackers can disrupt legitimate services or kill security software, making it easier to carry out their activities without interference.

Advanced Network Manipulation

  • route: Manipulate network routing tables. Attackers can redirect traffic through malicious routes, potentially intercepting or altering data in transit.

  • netsh interface: Configure network interfaces. Attackers can change IP addresses, disable network interfaces, or manipulate other network settings to evade detection or disrupt network communications.

  • nbtstat: Display NetBIOS over TCP/IP statistics. Attackers can gather information about NetBIOS sessions, including the names and IP addresses of remote computers, which can be used for further reconnaissance and targeting.

System Configuration

  • msconfig: Alter system startup configurations. Attackers can enable or disable startup programs and services, ensuring their malicious payloads are executed automatically or disabling security software.

  • bcdedit: Modify boot configuration data. Attackers can alter boot settings to enable advanced boot options, such as safe mode with networking, which can be used for further exploitation.

File and Disk Operations

  • diskpart: Manage disk partitions. Attackers can create or delete partitions, potentially destroying data or creating hidden storage areas for malicious files.

  • compact: Change file compression settings. Attackers can reduce the visibility of files by compressing them, making it harder for users and security software to detect them.

  • cipher: Encrypt or decrypt files and folders. Attackers can lock legitimate users out of their data by encrypting files, or they can decrypt and access sensitive information.

Privilege Escalation

  • runas: Execute a program under a different user account. Attackers can run commands with higher privileges, allowing them to perform actions that require administrative access.

Environment Variable Manipulation

  • setx: Set environment variables. Attackers can manipulate the execution environment of applications, potentially altering their behavior or redirecting them to malicious payloads.

Software Installation

  • msiexec: Install, modify, and perform operations on Windows Installer packages. Attackers can install malicious software, modify existing installations, or perform other operations to compromise the system.

  • dism: Manage Windows images. Attackers can install or remove features and packages, potentially adding backdoors or removing security features.

Log and Audit Manipulation

  • auditpol: Configure audit policies. Attackers can disable logging of certain activities, making it harder for defenders to detect and investigate their actions.

Additional Commands

  • vssadmin: Manage Volume Shadow Copy Service (VSS). Attackers can delete shadow copies to prevent recovery, ensuring their changes cannot be easily undone.

  • gpupdate /force: Force a Group Policy update. Attackers can apply changes to group policies, potentially weakening security settings or applying malicious configurations.

PreviousAPT ExamplesNextPowerShell

Last updated