Esc
Windows Command Shell - T1059.003
(ATT&CK® Technique)
Definition
Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1059003["Windows Command Shell"] --> |executes| ExecutableScript["Executable Script"]; class T1059003 OffensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; click T1059003 href "/offensive-technique/attack/T1059.003/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";DecoyFile["Decoy File"] --> | spoofs | ExecutableScript["Executable Script"]; DecoyFile["Decoy File"] -.-> | May Deceive | T1059003["Windows Command Shell"] ; class DecoyFile DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableScript["Executable Script"]; DynamicAnalysis["Dynamic Analysis"] -.-> | May Detect | T1059003["Windows Command Shell"] ; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableScript["Executable Script"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | May Detect | T1059003["Windows Command Shell"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ExecutableScript["Executable Script"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | May Detect | T1059003["Windows Command Shell"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] --> | deletes | ExecutableScript["Executable Script"]; FileEviction["File Eviction"] -.-> | May Evict | T1059003["Windows Command Shell"] ; class FileEviction DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] --> | encrypts | ExecutableScript["Executable Script"]; FileEncryption["File Encryption"] -.-> | May Harden | T1059003["Windows Command Shell"] ; class FileEncryption DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableScript["Executable Script"]; LocalFilePermissions["Local File Permissions"] -.-> | May Harden | T1059003["Windows Command Shell"] ; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableScript["Executable Script"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | May Isolate | T1059003["Windows Command Shell"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableScript["Executable Script"]; ExecutableDenylisting["Executable Denylisting"] -.-> | May Isolate | T1059003["Windows Command Shell"] ; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; RestoreFile["Restore File"] --> | restores | ExecutableScript["Executable Script"]; RestoreFile["Restore File"] -.-> | May Restore | T1059003["Windows Command Shell"] ; class RestoreFile DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableScript["Executable Script"]; FileAnalysis["File Analysis"] -.-> | May Detect | T1059003["Windows Command Shell"] ; class FileAnalysis DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis";