Skip to content

S0106 cmd

cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. 1

Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir 4), deleting files (e.g., del 3), and copying files (e.g., copy 2).

Item Value
ID S0106
Associated Names
Type TOOL
Version 1.2
Created 31 May 2017
Last Modified 16 April 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell cmd is used to execute programs and other actions at the command-line interface.1
enterprise T1083 File and Directory Discovery cmd can be used to find files and directories with native functionality such as dir commands.4
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion cmd can be used to delete files from the file system.3
enterprise T1105 Ingress Tool Transfer cmd can be used to copy files to/from a remotely connected external system.2
enterprise T1570 Lateral Tool Transfer cmd can be used to copy files to/from a remotely connected internal system.2
enterprise T1082 System Information Discovery cmd can be used to find information about the operating system.4

Groups That Use This Software

ID Name References
G0093 GALLIUM 67
G0060 BRONZE BUTLER 8
G0026 APT18 9
G0045 menuPass 10
G0071 Orangeworm 11
G1017 Volt Typhoon 12

References

  1. Microsoft. (n.d.). Cmd. Retrieved April 18, 2016. 

  2. Microsoft. (n.d.). Copy. Retrieved April 26, 2016. 

  3. Microsoft. (n.d.). Del. Retrieved April 22, 2016. 

  4. Microsoft. (n.d.). Dir. Retrieved April 18, 2016. 

  5. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  6. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  7. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. 

  8. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  9. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016. 

  10. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  11. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. 

  12. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.