During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL.[2]
ABK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.[4]
Action RAT can use cmd.exe to execute commands on an infected host.[5]
Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.[7]
ADVSTORESHELL can create a remote shell and run a given command.[8][9]
Agrius uses ASPXSpy web shells to enable follow-on command execution via cmd.exe.[10]
Akira executes from the Windows command line and can take various arguments for execution.[11]
Anchor has used cmd.exe to run its self deletion routine.[12]
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.[13]
APT18 uses cmd.exe to execute commands on the victim’s machine.[14][15]
An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.[16] The group has also used macros to execute payloads.[17][18][19][20]
An APT3 downloader uses the Windows command "cmd.exe" /C whoami. The group also uses a tool to execute commands on remote computers.[21][22]
APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.[26]
APT41 used cmd.exe /c to execute commands on remote machines.[27]APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.[28]
APT5 has used cmd.exe for execution on compromised systems.[29]
Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to cmd /C.[30]
AuditCred can open a reverse shell on the system to execute commands.[32]
AuTo Stealer can use cmd.exe to execute a created batch file.[5]
Babuk has the ability to use the command line to control execution on compromised hosts.[33][34]
BackConfig can download and run batch files to execute commands on a compromised host.[36]
Adversaries can direct BACKSPACE to execute from the command line on infected hosts, or have BACKSPACE create a reverse shell.[37]
BADHATCH can use cmd.exe to execute commands on a compromised host.[38][39]
BADNEWS is capable of executing commands via cmd.exe.[40][41]
Bandook is capable of spawning a Windows command shell.[42][43]
Bankshot uses the command-line interface to execute arbitrary commands.[44][45]
Bazar can launch cmd.exe to perform reconnaissance commands.[46][47]
BBK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.[4]
BISCUIT has a command to launch a command shell on the system.[48]
Bisonal has launched cmd.exe and used the ShellExecuteW() API function to execute commands on the system.[49][50][51]
Black Basta can use cmd.exe to enable shadow copy deletion.[52]
BlackCat can execute commands on a compromised network with the use of cmd.exe.[53]
BLACKCOFFEE has the capability to create a reverse shell.[54]
BlackMould can run cmd.exe with parameters.[55]
BLINDINGCAN has executed commands via cmd.exe.[56]
Blue Mockingbird has used batch script files to automate execution and deployment of payloads.[57]
BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.[58]
BoxCaon can execute arbitrary commands and utilize the "ComSpec" environment variable.[59]
BRONZE BUTLER has used batch scripts and the command-line interface for execution.[60]
Brute Ratel C4 can use cmd.exe for execution.[61]
During C0015, the threat actors used cmd.exe to execute commands and run malicious binaries.[64]
During C0017, APT41 used cmd.exe to execute reconnaissance commands.[65]
CALENDAR has a command to run cmd.exe to execute commands.[48]
Cardinal RAT can execute commands.[67]
CARROTBAT has the ability to execute command line arguments on a compromised host.[68]
Caterpillar WebShell can run commands on the compromised asset with CMD functions.[69]
ccf32 has used cmd.exe for archiving data and deleting files.[70]
The C# implementation of the CharmPower command execution module can use cmd.[72]
Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.[73]
China Chopper's server component is capable of opening a command terminal.[74][75][76]
Cinnamon Tempest has executed ransomware using batch scripts deployed via GPO.[77]
Clop can use cmd.exe to help execute commands on the system.[79]
cmd is used to execute programs and other actions at the command-line interface.[80]
Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.[81] The group has used an exploit toolkit known as Threadkit that launches .bat files.[82][83][84][81][85][86]
Cobalt Strike uses a command-line interface to interact with systems.[87][88][89][90]
Cobian RAT can launch a remote command shell interface for executing commands.[91]
CoinTicker executes a bash script to establish a reverse shell.[92]
Conti can utilize command line options to allow an attacker control over how it scans and encrypts files.[95][64]
Covenant provides access to a Command Shell in Windows environments for follow-on command execution and tasking.[96]
A module in CozyCar allows arbitrary commands to be executed by invoking C:\Windows\System32\cmd.exe.[97]
Crimson has the ability to execute commands with the COMSPEC environment variable.[98]
DanBot has the ability to execute arbitrary commands via cmd.exe.[100][101]
Dark Caracal has used macros in Word documents that would download a second stage if executed.[102]
DarkComet can launch a remote shell to execute commands on the victim’s machine.[103]
DarkGate uses a malicious Windows Batch script to run the Windows code utility to retrieve follow-on script payloads.[104]
Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.[105]
DarkTortilla can use cmd.exe to add registry keys for persistence.[106]
DarkWatchman can use cmd.exe to execute commands.[107]
DEADEYE can run cmd /c copy /y /b C:\Users\public\syslog_6-*.dat C:\Users\public\syslog.dll to combine separated sections of code into a single DLL prior to execution.[65]
DealersChoice makes modifications to open-source scripts from GitHub and executes them on the victim’s machine.[109]
Denis can launch a remote shell to execute arbitrary commands on the victim’s machine.[110][23]
Dragonfly has used various types of scripting to perform operations, including batch scripts.[113]
DropBook can execute arbitrary shell commands on the victims' machines.[114][115]
ECCENTRICBANDWAGON can use cmd to execute commands on a victim’s machine.[118]
Egregor has used batch files for execution and can launch Internet Explorer from cmd.exe.[119][120]
Emissary has the capability to create a remote shell and execute specified commands.[121]
EnvyScout can use cmd.exe to execute malicious files on compromised hosts.[124]
EvilBunny has an integrated scripting engine to download and execute Lua scripts.[125]
Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine.[126]
FELIXROOT executes batch scripts on the victim’s machine, and can launch a reverse shell for command execution.[128][129]
FIN10 has executed malicious .bat files containing PowerShell commands.[130]
FIN13 has leveraged xp_cmdshell and Windows Command Shell to execute commands on a compromised machine. FIN13 has also attempted to leverage the ‘xp_cmdshell’ SQL procedure to execute remote commands on internal MS-SQL servers.[131][132]
FIN6 has used kill.bat script to disable security tools.[133]
FIN7 used the command prompt to launch commands on the victim’s machine.[134][135][136]
FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.[137] FIN8 has also executed commands remotely via cmd.exe.[138][139][140]
Flagpro can use cmd.exe to execute commands received from C2.[141]
FlawedAmmyy has used cmd to execute commands on a compromised host.[142]
Fox Kitten has used cmd.exe likely as a password changing mechanism.[143]
During Frankenstein, the threat actors ran a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line [144]
FunnyDream can use cmd.exe for execution on remote hosts.[70]
During FunnyDream, the threat actors used cmd.exe to execute the wmiexec.vbs script.[70]
GALLIUM used the Windows command shell to execute commands.[145]
Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group's backdoor malware has also been written to a batch file.[146][147][148][149]
Gold Dragon uses cmd.exe to execute commands for discovery.[151]
GoldenSpy can execute remote commands via the command-line interface.[152]
GoldMax can spawn a command shell, and execute native commands.[153][154]
Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.[23]
Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.[155]
GravityRAT executes commands remotely on the infected host.[156]
GreyEnergy uses cmd.exe to execute itself in-memory.[129]
GrimAgent can use the Windows Command Shell to execute commands, including its own removal.[157]
HAFNIUM has used cmd.exe to execute commands on the victim's machine.[159]
HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.[161]
hcdLoader provides command-line access to the compromised system.[162]
Helminth can provide a remote shell. One version of Helminth uses batch scripting.[163]
HermeticWiper can use cmd.exe /Q/c move CSIDL_SYSTEM_DRIVE\temp\sys.tmp1 CSIDL_WINDOWS\policydefinitions\postgresql.exe 1> \\127.0.0.1\ADMIN$\_1636727589.6007507 2>&1 to deploy on an infected system.[164]
HermeticWizard can use cmd.exe for execution on compromised hosts.[164]
HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution.[166]
Hikit has the ability to create a remote shell and run given commands.[170]
During HomeLand Justice, threat actors used Windows batch files for persistence and execution.[172][173]
HOPLIGHT can launch cmd.exe to execute commands on the system.[174]
HotCroissant can remotely open applications on the infected host with the ShellExecuteA command.[175]
HTTPBrowser is capable of spawning a reverse shell on a victim.[176]
httpclient opens cmd.exe on the victim.[3]
INC Ransom has used cmd.exe to launch malicious payloads.[177]
Indrik Spider has used batch scripts on victim's machines.[178][179]
InnaputRAT launches a shell to execute commands on the victim’s machine.[180]
InvisiMole can launch a remote shell to execute commands.[181][182]
IPsec Helper can run arbitrary commands passed to it through cmd.exe.[10]
JPIN can use the command-line utility cacls.exe to change file permissions.[6]
Kazuar uses cmd.exe to execute commands on the victim’s machine.[187]
Ke3chang has used batch scripts in its malware to install persistence mechanisms.[188]
Kevin can use a renamed image of cmd.exe for execution.[189]
KeyBoy can launch interactive shells for communicating with the victim machine.[190][191]
KGH_SPY has the ability to set a Registry key to run a cmd.exe command.[193]
Kimsuky has executed Windows commands by using cmd and running batch scripts.[194][195]
Koadic can open an interactive command-shell to perform command line functions on victim machines. Koadic performs most of its operations using Windows Script Host (Jscript) and to run arbitrary shellcode.[196][197]
KOCTOPUS has used cmd.exe and batch files for execution.[197]
KONNI has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection chain.[199][200][201]
The Latrodectus command handler can use cmdexe to run multiple discovery commands.[202][203]
Lazarus Group malware uses cmd.exe to execute commands on a compromised host.[204][205][206][207][208] A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.[209]
LazyScripter has used batch files to deploy open-source and multi-stage RATs.[197]
LightNeuron is capable of executing commands via cmd.exe.[210]
Linfo creates a backdoor through which remote attackers can start a remote shell.[211]
Lizar has a command to open the command-line on the infected system.[212][213]
Lokibot has used cmd /c commands embedded within batch scripts.[214]
LoudMiner used a batch script to run the Linux virtual machine as a service.[216]
Lucifer can issue shell commands to download and execute additional payloads.[217]
LunarWeb can run shell commands using a BAT file with a name matching %TEMP%\<random_9_alnum_chars>.batfile or through cmd.exe with the /c and /U option for Unicode output.[218]
Machete has used batch files to initiate additional downloads of malicious files.[219]
Magic Hound has used the command-line interface for code execution.[221][222][223]
Manjusaka can execute arbitrary commands passed to it from the C2 controller via cmd.exe /c.[224]
MarkiRAT can utilize cmd.exe to execute commands in a victim's environment.[225]
The Maze encryption process has used batch scripts with various commands.[226][227]
MCMD can launch a console process (cmd.exe) with redirected standard input and output.[228]
MechaFlounder has the ability to run commands on a compromised host.[229]
MegaCortex has used .cmd scripts on the victim's system.[230]
menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.[231][232][233][234] menuPass has used malicious macros embedded inside Office documents to execute files.[235][234]
Metador has used the Windows command line to execute commands.[236]
Meteor can run set.bat, update.bat, cache.bat, bcd.bat, msrun.bat, and similar scripts.[238]
Milan can use cmd.exe for discovery actions on a targeted system.[101]
MirageFox has the capability to execute commands using cmd.exe.[240]
Mis-Type has used cmd.exe to run commands on a compromised host.[241]
Misdat is capable of providing shell functionality to the attacker to execute commands.[241]
Mivast has the capability to open a remote shell and run basic commands.[242]
MoleNet can execute commands via the command line utility.[114]
MoonWind can execute commands via an interactive command shell.[243] MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.[243]
Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.[246]
MuddyWater has used a custom tool for creating reverse shells.[247]
MultiLayer Wiper uses a batch script launched via a scheduled task to delete Windows Event Logs.[248]
Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.[249][250]
NanoCore can open a remote command-line interface and execute commands.[251] NanoCore uses JavaScript files.[252]
NavRAT leverages cmd.exe to perform discovery techniques.[253] NavRAT loads malicious shellcode and executes it in memory.[253]
NETEAGLE allows adversaries to execute shell commands on the infected host.[37]
Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload.[255]
During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and run command-line shells.[258]
Nightdoor creates a cmd.exe shell to send and receive commands from the command and control server via open pipes.[259]
njRAT can launch a command shell interface for executing commands.[260]
Nomadic Octopus used cmd.exe /c within a malicious macro.[261]
OceanSalt can create a reverse shell on the infected endpoint using cmd.exe.[262] OceanSalt has been executed via malicious macros.[262]
OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.[263][264][265][266][267] OilRig has used batch scripts.[263][264][265][266][267]
Okrum's backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.[268]
OopsIE uses the command prompt to execute commands on the victim's machine.[265][269]
During Operation CuckooBees, the threat actors used batch scripts to perform reconnaissance.[270]
During Operation Dream Job, Lazarus Group launched malicious DLL files, created new folders, and renamed folders with the use of the Windows command shell.[271][272]
During Operation Honeybee, various implants used batch scripting and cmd.exe for execution.[273]
During Operation Wocao, threat actors spawned a new cmd.exe process to execute commands.[274]
Orz can execute shell commands.[275] Orz can execute commands with JavaScript.[275]
OutSteel has used cmd.exe to scan a compromised host for specific file extensions.[277]
Patchwork ran a reverse shell with Meterpreter.[278] Patchwork used JavaScript code and .SCT files on victim machines.[41][279]
Pikabot can execute Windows shell commands via cmd.exe.[281]
PingPull can use cmd.exe to run various commands as a reverse shell.[282]
Pisloader uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.[283]
PLAINTEE uses cmd.exe to execute commands on the victim’s machine.[284]
Play has used a batch script to remove indicators of its presence on compromised hosts.[285]
PLEAD has the ability to execute shell commands on the compromised host.[286]
PlugX allows actors to spawn a reverse shell on a victim.[176][287]
PoisonIvy creates a backdoor through which remote attackers can open a command-line interface.[289]
Pony has used batch scripts to delete itself after execution.[290]
PowerDuke runs cmd.exe /c and sends the output to its C2.[291]
Proxysvc executes a binary on the system and logs the results into a temp file by using: cmd.exe /c ".[209]
Pteranodon can use cmd.exe for execution on victim systems.[146][292]
QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.[294][295][296][90]
QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine.[266]
QuasarRAT can launch a remote shell to execute commands on the victim’s machine.[297][298]
Ragnar Locker has used cmd.exe and batch scripts to execute commands.[299]
RainyDay can use the Windows Command Shell for execution.[254]
Raspberry Robin uses cmd.exe to read and execute a file stored on an infected USB device as part of initial installation.[300]
RCSession can use cmd.exe for execution on compromised hosts.[78]
RedCurl has used the Windows Command Prompt to execute commands.[304][305][306]
RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.[232][307]
Remcos can launch a remote command line to execute commands on the victim’s machine.[308]
Remexi silently executes received commands with cmd.exe.[309]
Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine.[310]
REvil can use the Windows command line to delete volume shadow copies and disable recovery.[311][312][313][314]
RGDoor uses cmd.exe to execute commands on the victim’s machine.[315]
Rising Sun has executed commands using cmd.exe /c "<command> > <%temp%>\AM<random>. tmp" 2>&1.[316]
ROADSWEEP can open cmd.exe to enable command execution.[317][173]
RobbinHood uses cmd.exe on the victim's computer.[318]
RogueRobin uses Windows Script Components.[319][320]
RunningRAT uses a batch file to kill a security program task and then attempts to remove itself.[151]
Ryuk has used cmd.exe to create a Registry entry to establish persistence.[322]
S-Type has provided the ability to execute shell commands on a compromised host.[241]
Saint Bear initial loaders will also drop a malicious Windows batch file, available via open source GitHub repositories, that disables Microsoft Defender functionality.[277]
Saint Bot has used cmd.exe and .bat scripts for execution.[277]
Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.[323]
SamSam uses custom batch scripts to execute some of its components.[324]
Samurai can use a remote command module for execution via the Windows command line.[325]
Sardonic has the ability to run cmd.exe or other interactive processes on a compromised computer.[140]
SDBbot has the ability to use the command shell to execute commands on a compromised host.[326]
Seasalt uses cmd.exe to create a reverse shell on the infected endpoint.[48]
SEASHARPEE can execute commands on victims.[328]
ServHelper can execute shell commands against cmd.[329][330]
Seth-Locker can execute commands via the command line shell.[331]
Shark has the ability to use CMD to execute commands.[101][332]
SharpDisco can use cmd.exe to execute plugins and to send command output to specified SMB shares.[333]
SharpStage can execute arbitrary commands with the command line.[114][115]
ShimRat can be issued a command shell function from the C2.[334]
SideTwist can execute shell commands on a compromised host.[335]
Silence has used Windows command-line to run commands.[336][337][338]
SILENTTRINITY can use cmd.exe to enable lateral movement using DCOM.[339]
SLOTHFULMEDIA can open a command line to execute commands.[341]
Small Sieve can use cmd.exe to execute commands on a victim's system.[342]
SNUGRIDE is capable of executing commands and spawning a reverse shell.[307]
During the SolarWinds Compromise, APT29 used cmd.exe to execute commands on remote machines.[343][344]
SQLRat has used SQL to execute JavaScript and VB scripts on the host system.[135]
Squirrelwaffle has used cmd.exe for execution.[347]
STARWHALE has the ability to execute commands via cmd.exe.[348]
StrifeWater can execute shell commands using cmd.exe.[350]
Several tools used by Suckfly have been command-line driven.[351]
SUGARUSH has used cmd for execution on an infected host.[352]
SYSCON has the ability to execute commands through cmd on a compromised host.[68]
TAINTEDSCRIBE can enable Windows CLI access and execute files.[357]
Tarrask may abuse the Windows schtasks command-line tool to create "hidden" scheduled tasks.[358]
TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.[360]
TEXTMATE executes cmd.exe to provide a reverse shell to adversaries.[361][362]
Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.[363]
Threat Group-3390 has used command-line interfaces for execution.[74][364]
ToddyCat has used .bat scripts and cmd for execution on compromised hosts.[367]
TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.[368]
Trojan.Karagany can perform reconnaissance commands on a victim machine via a cmd.exe process.[369]
Tropic Trooper has used Windows command scripts.[370]
TSCookie has the ability to execute shell commands on the infected host.[371]
Turian can create a remote shell and execute commands using cmd.[372]
Turla RPC backdoors have used cmd.exe to execute commands.[373][374]
TYPEFRAME can uninstall malware components using a batch script.[376] TYPEFRAME can execute commands using a shell.[376]
Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet[378]
UPPERCUT uses cmd.exe to execute commands on the victim’s machine.[234]
Uroburos has the ability to use the command line for execution on the targeted system.[379]
Volgmer can execute commands on the victim's machine.[380][381]
Volt Typhoon has used the Windows command line to perform hands-on-keyboard activities in targeted environments including for discovery.[382][383][384][385]
WarzoneRAT can use cmd.exe to execute malicious code.[386]
WastedLocker has used cmd to execute commands on the system.[387]
Water Curupira Pikabot Distribution installation via JavaScript will launch follow-on commands via cmd.exe.[388]
WellMess can execute command line scripts received from C2.[389]
WhisperGate can use cmd.exe to execute commands.[390]
Wiarp creates a backdoor through which remote attackers can open a command line interface.[391]
Winter Vivern distributed Windows batch scripts disguised as virus scanners to prompt download of malicious payloads using built-in system tools.[392][393]
Wizard Spider has used cmd.exe to execute commands on a victim's machine.[394][395]
Zebrocy uses cmd.exe to execute commands on the system.[398][399]
Zeus Panda can launch an interface where it can execute several commands on the victim’s PC.[400]
ZIRCONIUM has used a tool to open a Windows Command Shell on a remote host.[401]