Skip to content

S0106 cmd

cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. 1

Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir 4), deleting files (e.g., del 3), and copying files (e.g., copy 2).

Item Value
ID S0106
Associated Names
Type TOOL
Version 1.2
Created 31 May 2017
Last Modified 13 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell cmd is used to execute programs and other actions at the command-line interface.1
enterprise T1083 File and Directory Discovery cmd can be used to find files and directories with native functionality such as dir commands.4
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion cmd can be used to delete files from the file system.3
enterprise T1105 Ingress Tool Transfer cmd can be used to copy files to/from a remotely connected external system.2
enterprise T1570 Lateral Tool Transfer cmd can be used to copy files to/from a remotely connected internal system.2
enterprise T1082 System Information Discovery cmd can be used to find information about the operating system.4

Groups That Use This Software

ID Name References
G0071 Orangeworm 6
G0026 APT18 7
G0060 BRONZE BUTLER 8
G0045 menuPass 9
G0093 GALLIUM 1011

References

  1. Microsoft. (n.d.). Cmd. Retrieved April 18, 2016. 

  2. Microsoft. (n.d.). Copy. Retrieved April 26, 2016. 

  3. Microsoft. (n.d.). Del. Retrieved April 22, 2016. 

  4. Microsoft. (n.d.). Dir. Retrieved April 18, 2016. 

  5. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  6. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. 

  7. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016. 

  8. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  9. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  10. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  11. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.