Description
Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.(Citation: SSH in Windows)
Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel.
Reverse Shell Cheatsheet
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (1)
Execution PreventionM1038
Use application control where appropriate.
Threat Groups (73)
| ID | Group | Context |
|---|---|---|
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses cmd.exe to execute commands on a compromised host.(Citation: Novetta Blockbuster)(... |
| G0039 | Suckfly | Several tools used by [Suckfly](https://attack.mitre.org/groups/G0039) have been command-line driven.(Citation: Symantec Suckfly May 2016) |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used the Windows command shell to execute commands.(Citation: Cybereason Soft Cell June 2019) |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used the command-line interface for code execution.(Citation: Unit 42 Magic Hound Feb 2017)(C... |
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used a tool to open a Windows Command Shell on a remote host.(Citation: Zscaler APT31 Covid-19 ... |
| G0070 | Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups/G0070) has used macros in Word documents that would download a second stage if executed.(Citation: Look... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used `cmd.exe` to execute commands on a victim's machine.(Citation: DFIR Ryuk's Return Octo... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used the Windows command line to perform hands-on-keyboard activities in targeted environmen... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used macros to deliver malware such as [QUADAGENT](https://attack.mitre.org/software/S0269) and [O... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has used command-line interfaces for execution.(Citation: SecureWorks BRONZE UNION June 201... |
| G0028 | Threat Group-1314 | [Threat Group-1314](https://attack.mitre.org/groups/G0028) actors spawned shells on remote systems on a victim network to execute commands.(Citation: ... |
| G1031 | Saint Bear | [Saint Bear](https://attack.mitre.org/groups/G1031) initial loaders will also drop a malicious Windows batch file, available via open source GitHub re... |
| G1040 | Play | [Play](https://attack.mitre.org/groups/G1040) has used a batch script to remove indicators of its presence on compromised hosts.(Citation: Trend Micr... |
| G0133 | Nomadic Octopus | [Nomadic Octopus](https://attack.mitre.org/groups/G0133) used <code>cmd.exe /c</code> within a malicious macro.(Citation: ESET Nomadic Octopus 2018) |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has used batch scripts to download tools and executing cryptocurrency miners.(Citation: ATT TeamTNT C... |
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has used `cmd.exe` to launch malicious payloads.(Citation: Huntress INC Ransom Group August 2023) |
| G0095 | Machete | [Machete](https://attack.mitre.org/groups/G0095) has used batch files to initiate additional downloads of malicious files.(Citation: 360 Machete Sep 2... |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has used the Windows command line as part of infection chains to open documents.(Citation: Check Point ... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.(Citatio... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used a custom tool for creating reverse shells.(Citation: Symantec MuddyWater Dec 2018) |
Associated Software (295)
| ID | Name | Type | Context |
|---|---|---|---|
| S0053 | SeaDuke | Malware | [SeaDuke](https://attack.mitre.org/software/S0053) is capable of executing commands.(Citation: Unit 42 SeaDuke 2015) |
| S0259 | InnaputRAT | Malware | [InnaputRAT](https://attack.mitre.org/software/S0259) launches a shell to execute commands on the victim’s machine.(Citation: ASERT InnaputRAT April 2... |
| S0187 | Daserf | Malware | [Daserf](https://attack.mitre.org/software/S0187) can execute shell commands.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTL... |
| S0046 | CozyCar | Malware | A module in [CozyCar](https://attack.mitre.org/software/S0046) allows arbitrary commands to be executed by invoking <code>C:\Windows\System32\cmd.exe<... |
| S1017 | OutSteel | Malware | [OutSteel](https://attack.mitre.org/software/S1017) has used `cmd.exe` to scan a compromised host for specific file extensions.(Citation: Palo Alto Un... |
| S0229 | Orz | Malware | [Orz](https://attack.mitre.org/software/S0229) can execute shell commands.(Citation: Proofpoint Leviathan Oct 2017) [Orz](https://attack.mitre.org/sof... |
| S0475 | BackConfig | Malware | [BackConfig](https://attack.mitre.org/software/S0475) can download and run batch files to execute commands on a compromised host.(Citation: Unit 42 Ba... |
| S0381 | FlawedAmmyy | Malware | [FlawedAmmyy](https://attack.mitre.org/software/S0381) has used `cmd` to execute commands on a compromised host.(Citation: Korean FSI TA505 2020) |
| S1141 | LunarWeb | Malware | [LunarWeb](https://attack.mitre.org/software/S1141) can run shell commands using a BAT file with a name matching `%TEMP%\<random_9_alnum_chars>.batfi... |
| S0681 | Lizar | Malware | [Lizar](https://attack.mitre.org/software/S0681) has a command to open the command-line on the infected system.(Citation: Threatpost Lizar May 2021)(C... |
| S0651 | BoxCaon | Malware | [BoxCaon](https://attack.mitre.org/software/S0651) can execute arbitrary commands and utilize the "ComSpec" environment variable.(Citation: Checkpoint... |
| S1087 | AsyncRAT | Tool | [AsyncRAT](https://attack.mitre.org/software/S1087) can be deployed via batch script.(Citation: ESET MirrorFace 2025) |
| S0124 | Pisloader | Malware | [Pisloader](https://attack.mitre.org/software/S0124) uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.(C... |
| S0346 | OceanSalt | Malware | [OceanSalt](https://attack.mitre.org/software/S0346) can create a reverse shell on the infected endpoint using cmd.exe.(Citation: McAfee Oceansalt Oct... |
| S0639 | Seth-Locker | Malware | [Seth-Locker](https://attack.mitre.org/software/S0639) can execute commands via the command line shell.(Citation: Trend Micro Ransomware February 2021... |
| S0504 | Anchor | Malware | [Anchor](https://attack.mitre.org/software/S0504) has used cmd.exe to run its self deletion routine.(Citation: Cyberreason Anchor December 2019) |
| S0025 | CALENDAR | Malware | [CALENDAR](https://attack.mitre.org/software/S0025) has a command to run cmd.exe to execute commands.(Citation: Mandiant APT1 Appendix) |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can use cmd.exe to launch itself and to execute multiple C2 commands.(Citation: Crowdstrike Qakbot O... |
| S0698 | HermeticWizard | Malware | [HermeticWizard](https://attack.mitre.org/software/S0698) can use `cmd.exe` for execution on compromised hosts.(Citation: ESET Hermetic Wizard March 2... |
| S0336 | NanoCore | Malware | [NanoCore](https://attack.mitre.org/software/S0336) can open a remote command-line interface and execute commands.(Citation: PaloAlto NanoCore Feb 201... |
Related CWE Weaknesses
References
Frequently Asked Questions
What is T1059.003 (Windows Command Shell)?
T1059.003 is a MITRE ATT&CK technique named 'Windows Command Shell'. It belongs to the Execution tactic(s). Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows...
How can T1059.003 be detected?
Detection of T1059.003 (Windows Command Shell) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1059.003?
There are 1 documented mitigations for T1059.003. Key mitigations include: Execution Prevention.
Which threat groups use T1059.003?
Known threat groups using T1059.003 include: Lazarus Group, Suckfly, GALLIUM, Magic Hound, ZIRCONIUM, Dark Caracal, Wizard Spider, Volt Typhoon.