Command and Scripting Interpreter: Windo

4H RAT has the capability to create a remote shell.^[2]

ABK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.^[3]

adbupd can run a copy of cmd.exe.^[4]

Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.^[5]

S0045 ADVSTORESHELL

ADVSTORESHELL can create a remote shell and run a given command.^[6]^[7]

S0504 Anchor

Anchor has used cmd.exe to run its self deletion routine.^[8]

G0006 APT1

APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.^[9]

G0026 APT18

APT18 uses cmd.exe to execute commands on the victim’s machine.^[10]^[11]

G0007 APT28

An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.^[12] The group has also used macros to execute payloads.^[13]^[14]^[15]^[16]

G0016 APT29

APT29 used cmd.exe to execute commands on remote machines.^[17]^[18]

G0022 APT3

An APT3 downloader uses the Windows command "cmd.exe" /C whoami. The group also uses a tool to execute commands on remote computers.^[19]^[20]

G0050 APT32

APT32 has used cmd.exe for execution.^[21]

G0067 APT37

APT37 has used the command-line interface.^[22]^[23]

G0082 APT38

APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.^[24]

G0096 APT41

APT41 used cmd.exe /c to execute commands on remote machines.^[25]APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.^[26]

S0373 Astaroth

Astaroth spawns a CMD process to execute commands. ^[27]

S0347 AuditCred

AuditCred can open a reverse shell on the system to execute commands.^[28]

S0638 Babuk

Babuk has the ability to use the command line to control execution on compromised hosts.^[29]^[30]

S0414 BabyShark

BabyShark has used cmd.exe to execute commands.^[31]

S0475 BackConfig

BackConfig can download and run batch files to execute commands on a compromised host.^[32]

S0031 BACKSPACE

Adversaries can direct BACKSPACE to execute from the command line on infected hosts, or have BACKSPACE create a reverse shell.^[33]

S0128 BADNEWS

BADNEWS is capable of executing commands via cmd.exe.^[34]^[35]

S0234 Bandook

Bandook is capable of spawning a Windows command shell.^[36]^[37]

S0239 Bankshot

Bankshot uses the command-line interface to execute arbitrary commands.^[38]^[39]

S0534 Bazar

Bazar can launch cmd.exe to perform reconnaissance commands.^[40]^[41]

S0470 BBK

BBK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.^[3]

S0017 BISCUIT

BISCUIT has a command to launch a command shell on the system.^[42]

S0268 Bisonal

Bisonal can launch cmd.exe to execute commands on the system.^[43]^[44]

S0069 BLACKCOFFEE

BLACKCOFFEE has the capability to create a reverse shell.^[45]

S0564 BlackMould

BlackMould can run cmd.exe with parameters.^[46]

S0520 BLINDINGCAN

BLINDINGCAN has executed commands via cmd.exe.^[47]

G0108 Blue Mockingbird

Blue Mockingbird has used batch script files to automate execution and deployment of payloads.^[48]

S0360 BONDUPDATER

BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.^[49]

S0651 BoxCaon

BoxCaon can execute arbitrary commands and utilize the "ComSpec" environment variable.^[50]

G0060 BRONZE BUTLER

BRONZE BUTLER has used batch scripts and the command-line interface for execution.^[51]

S0025 CALENDAR

CALENDAR has a command to run cmd.exe to execute commands.^[42]

S0030 Carbanak

Carbanak has a command to create a reverse shell.^[52]

S0348 Cardinal RAT

Cardinal RAT can execute commands.^[53]

S0462 CARROTBAT

CARROTBAT has the ability to execute command line arguments on a compromised host.^[54]

S0572 Caterpillar WebShell

Caterpillar WebShell can run commands on the compromised asset with CMD functions.^[55]

S0631 Chaes

Chaes has used cmd to execute tasks on the system.^[56]

G0114 Chimera

Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.^[57]

S0020 China Chopper

China Chopper's server component is capable of opening a command terminal.^[58]^[59]^[60]

S0611 Clop

Clop can use cmd.exe to help execute commands on the system.^[61]

S0106 cmd

cmd is used to execute programs and other actions at the command-line interface.^[62]

G0080 Cobalt Group

Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.^[63] The group has used an exploit toolkit known as Threadkit that launches .bat files.^[64]^[65]^[66]^[63]^[67]^[68]

S0154 Cobalt Strike

Cobalt Strike uses a command-line interface to interact with systems.^[69]^[70]^[71]

S0338 Cobian RAT

Cobian RAT can launch a remote command shell interface for executing commands.^[72]

S0369 CoinTicker

CoinTicker executes a bash script to establish a reverse shell.^[73]

S0244 Comnie

Comnie executes BAT scripts.^[74]

S0126 ComRAT

ComRAT has used cmd.exe to execute commands.^[75]

S0575 Conti

Conti can utilize command line options to allow an attacker control over how it scans and encrypts files.^[76]

S0046 CozyCar

A module in CozyCar allows arbitrary commands to be executed by invoking C:\Windows\System32\cmd.exe.^[77]

S0115 Crimson

Crimson has the ability to execute commands with the COMSPEC environment variable.^[78]

S0625 Cuba

Cuba has used cmd.exe /c and batch files for execution.^[79]

G0070 Dark Caracal

Dark Caracal has used macros in Word documents that would download a second stage if executed.^[80]

S0334 DarkComet

DarkComet can launch a remote shell to execute commands on the victim’s machine.^[81]

G0012 Darkhotel

Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.^[82]

S0187 Daserf

Daserf can execute shell commands.^[83]^[51]

S0243 DealersChoice

DealersChoice makes modifications to open-source scripts from GitHub and executes them on the victim’s machine.^[84]

S0354 Denis

Denis can launch a remote shell to execute arbitrary commands on the victim’s machine.^[85]^[21]

S0200 Dipsind

Dipsind can spawn remote shells.^[4]

S0186 DownPaper

DownPaper uses the command line.^[86]

G0074 Dragonfly 2.0

Dragonfly 2.0 used various types of scripting to perform operations, including batch scripts.^[87]^[88]

S0547 DropBook

DropBook can execute arbitrary shell commands on the victims' machines.^[89]^[90]

S0567 Dtrack

Dtrack has used cmd.exe to add a persistent service.^[91]

S0593 ECCENTRICBANDWAGON

ECCENTRICBANDWAGON can use cmd to execute commands on a victim’s machine.^[92]

S0554 Egregor

Egregor has used batch files for execution and can launch Internet Explorer from cmd.exe.^[93]^[94]

S0082 Emissary

Emissary has the capability to create a remote shell and execute specified commands.^[95]

S0367 Emotet

Emotet has used cmd.exe to run a PowerShell script. ^[96]

S0363 Empire

Empire has modules for executing scripts.^[97]

S0634 EnvyScout

EnvyScout can use cmd.exe to execute malicious files on compromised hosts.^[98]

S0396 EvilBunny

EvilBunny has an integrated scripting engine to download and execute Lua scripts.^[99]

S0343 Exaramel for Windows

Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine.^[100]

S0171 Felismus

Felismus uses command line for execution.^[101]

S0267 FELIXROOT

FELIXROOT executes batch scripts on the victim’s machine, and can launch a reverse shell for command execution.^[102]^[103]

G0051 FIN10

FIN10 has executed malicious .bat files containing PowerShell commands.^[104]

G0037 FIN6

FIN6 has used kill.bat script to disable security tools.^[105]

G0046 FIN7

FIN7 used the command prompt to launch commands on the victim’s machine.^[106]^[107]

G0061 FIN8

FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.^[108] FIN8 has also executed commands remotely via cmd.^[109]^[110]

G0117 Fox Kitten

Fox Kitten has used cmd.exe likely as a password changing mechanism.^[111]

G0101 Frankenstein

Frankenstein has run a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line.^[112]

G0093 GALLIUM

GALLIUM used the Windows command shell to execute commands.^[113]

G0047 Gamaredon Group

Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group's backdoor malware has also been written to a batch file.^[114]^[115]

S0249 Gold Dragon

Gold Dragon uses cmd.exe to execute commands for discovery.^[116]

S0493 GoldenSpy

GoldenSpy can execute remote commands via the command-line interface.^[117]

S0588 GoldMax

GoldMax can spawn a command shell, and execute native commands.^[118]^[119]

S0477 Goopy

Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.^[21]

G0078 Gorgon Group

Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.^[120]

S0237 GravityRAT

GravityRAT executes commands remotely on the infected host.^[121]

S0342 GreyEnergy

GreyEnergy uses cmd.exe to execute itself in-memory.^[103]

S0632 GrimAgent

GrimAgent can use the Windows Command Shell to execute commands, including its own removal.^[122]

S0132 H1N1

H1N1 kills and disables services by using cmd.exe.^[123]

S0246 HARDRAIN

HARDRAIN uses cmd.exe to execute netshcommands.^[124]

S0391 HAWKBALL

HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.^[125]

S0071 hcdLoader

hcdLoader provides command-line access to the compromised system.^[126]

S0170 Helminth

Helminth can provide a remote shell. One version of Helminth uses batch scripting.^[127]

S0087 Hi-Zor

Hi-Zor has the ability to create a reverse shell.^[128]

S0394 HiddenWasp

HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution.^[129]

G0126 Higaisa

Higaisa used cmd.exe for execution.^[130]^[131]^[132]

S0009 Hikit

Hikit has the ability to create a remote shell and run given commands.^[133]

S0232 HOMEFRY

HOMEFRY uses a command-line interface.^[134]

G0072 Honeybee

Several commands are supported by the Honeybee's implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint.^[135] Honeybee used batch scripting.^[135]

S0376 HOPLIGHT

HOPLIGHT can launch cmd.exe to execute commands on the system.^[136]

S0431 HotCroissant

HotCroissant can remotely open applications on the infected host with the ShellExecuteA command.^[137]

S0070 HTTPBrowser

HTTPBrowser is capable of spawning a reverse shell on a victim.^[138]

S0068 httpclient

httpclient opens cmd.exe on the victim.^[2]

G0119 Indrik Spider

Indrik Spider has used batch scripts on victim's machines.^[139]

S0259 InnaputRAT

InnaputRAT launches a shell to execute commands on the victim’s machine.^[140]

S0260 InvisiMole

InvisiMole can launch a remote shell to execute commands.^[141]^[142]

S0015 Ixeshe

Ixeshe is capable of executing commands via cmd.^[143]

S0389 JCry

JCry has used cmd.exe to launch PowerShell.^[144]

S0044 JHUHUGIT

JHUHUGIT uses a .bat file to execute a .dll.^[13]

S0201 JPIN

JPIN can use the command-line utility cacls.exe to change file permissions.^[4]

S0283 jRAT

jRAT has command line access.^[145]

S0088 Kasidet

Kasidet can execute commands using cmd.exe.^[146]

S0265 Kazuar

Kazuar uses cmd.exe to execute commands on the victim’s machine.^[147]

G0004 Ke3chang

Ke3chang has used batch scripts in its malware to install persistence mechanisms.^[148]

S0387 KeyBoy

KeyBoy can launch interactive shells for communicating with the victim machine.^[149]^[150]

S0271 KEYMARBLE

KEYMARBLE can execute shell commands using cmd.exe.^[151]

S0526 KGH_SPY

KGH_SPY has the ability to set a Registry key to run a cmd.exe command.^[152]

S0250 Koadic

Koadic can open an interactive command-shell to perform command line functions on victim machines.^[153] Koadic performs most of its operations using Windows Script Host (Jscript) and runs arbitrary shellcode .^[153]

S0156 KOMPROGO

KOMPROGO is capable of creating a reverse shell.^[154]

S0356 KONNI

KONNI has used cmd.exe execute arbitrary commands on the infected host across different stages of the infection change.^[155]^[156]

G0032 Lazarus Group

Lazarus Group malware uses cmd.exe to execute commands on victims.^[157]^[158]^[159]^[160] A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.^[161]

S0395 LightNeuron

LightNeuron is capable of executing commands via cmd.exe.^[162]

S0211 Linfo

Linfo creates a backdoor through which remote attackers can start a remote shell.^[163]

S0447 Lokibot

Lokibot has used cmd /c commands embedded within batch scripts.^[164]

S0582 LookBack

LookBack executes the cmd.exe command.^[165]

S0451 LoudMiner

LoudMiner used a batch script to run the Linux virtual machine as a service.^[166]

S0532 Lucifer

Lucifer can issue shell commands to download and execute additional payloads.^[167]

G0095 Machete

Machete has used batch files to initiate additional downloads of malicious files.^[168]

G0059 Magic Hound

Magic Hound has used the command-line interface.^[169]

S0652 MarkiRAT

MarkiRAT can utilize cmd.exe to execute commands in a victim's environment.^[170]

S0449 Maze

The Maze encryption process has used batch scripts with various commands.^[171]^[172]

S0500 MCMD

MCMD can launch a console process (cmd.exe) with redirected standard input and output.^[173]

S0459 MechaFlounder

MechaFlounder has the ability to run commands on a compromised host.^[174]

S0576 MegaCortex

MegaCortex has used .cmd scripts on the victim's system.^[175]

G0045 menuPass

menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.^[176]^[177]^[178]^[179] menuPass has used malicious macros embedded inside Office documents to execute files.^[180]^[179]

S0455 Metamorfo

Metamorfo has used cmd.exe /c to execute files.^[181]

S0339 Micropsia

Micropsia creates a command-line shell using cmd.exe.^[182]

S0280 MirageFox

MirageFox has the capability to execute commands using cmd.exe.^[183]

S0084 Mis-Type

Mis-Type uses cmd.exe to run commands for enumerating the host.^[184]

S0083 Misdat

Misdat is capable of providing shell functionality to the attacker to execute commands.^[184]

S0080 Mivast

Mivast has the capability to open a remote shell and run basic commands.^[185]

S0553 MoleNet

MoleNet can execute commands via the command line utility.^[89]

S0149 MoonWind

MoonWind can execute commands via an interactive command shell.^[186] MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.^[186]

S0284 More_eggs

More_eggs has used cmd.exe for execution.^[187]^[188]

S0256 Mosquito

Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.^[189]

G0069 MuddyWater

MuddyWater has used a custom tool for creating reverse shells.^[190]

S0233 MURKYTOP

MURKYTOP uses the command-line interface.^[134]

G0129 Mustang Panda

Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.^[191]^[192]

S0336 NanoCore

NanoCore can open a remote command-line interface and execute commands.^[193] NanoCore uses JavaScript files.^[194]

S0247 NavRAT

NavRAT leverages cmd.exe to perform discovery techniques.^[195] NavRAT loads malicious shellcode and executes it in memory.^[195]

S0630 Nebulae

Nebulae can use CMD to execute a process.^[196]

S0034 NETEAGLE

NETEAGLE allows adversaries to execute shell commands on the infected host.^[33]

S0457 Netwalker

Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload.^[197]

S0198 NETWIRE

NETWIRE can issue commands using cmd.exe.^[198]^[199]

S0385 njRAT

njRAT can launch a command shell interface for executing commands.^[200]

G0133 Nomadic Octopus

Nomadic Octopus used cmd.exe /c within a malicious macro.^[201]

S0346 OceanSalt

OceanSalt can create a reverse shell on the infected endpoint using cmd.exe.^[202] OceanSalt has been executed via malicious macros.^[202]

G0049 OilRig

OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.^[203]^[204]^[205]^[206]^[207] OilRig has used batch scripts.^[203]^[204]^[205]^[206]^[207]

S0439 Okrum

Okrum's backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.^[208]

S0264 OopsIE

OopsIE uses the command prompt to execute commands on the victim's machine.^[205]^[209]

G0116 Operation Wocao

Operation Wocao has spawned a new cmd.exe process to execute commands.^[210]

S0229 Orz

Orz can execute shell commands.^[211] Orz can execute commands with JavaScript.^[211]

S0594 Out1

Out1 can use native command line for execution.^[212]

G0040 Patchwork

Patchwork ran a reverse shell with Meterpreter.^[213] Patchwork used JavaScript code and .SCT files on victim machines.^[35]^[214]

S0643 Peppy

Peppy has the ability to execute shell commands.^[215]

S0158 PHOREAL

PHOREAL is capable of creating reverse shell.^[154]

S0124 Pisloader

Pisloader uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.^[216]

S0254 PLAINTEE

PLAINTEE uses cmd.exe to execute commands on the victim’s machine.^[217]

S0435 PLEAD

PLEAD has the ability to execute shell commands on the compromised host.^[218]

S0013 PlugX

PlugX allows actors to spawn a reverse shell on a victim.^[138]^[219]

S0428 PoetRAT

PoetRAT has called cmd through a Word document macro.^[220]

S0012 PoisonIvy

PoisonIvy creates a backdoor through which remote attackers can open a command-line interface.^[221]

S0453 Pony

Pony has used batch scripts to delete itself after execution.^[222]

S0139 PowerDuke

PowerDuke runs cmd.exe /c and sends the output to its C2.^[223]

S0184 POWRUNER

POWRUNER can execute commands from its C2 server.^[203]

S0238 Proxysvc

Proxysvc executes a binary on the system and logs the results into a temp file by using: cmd.exe /c " > %temp%\PM* .tmp 2>&1".^[161]

S0147 Pteranodon

Pteranodon can execute commands on the victim.^[114]

S0650 QakBot

QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.^[224]^[225]^[226]

S0269 QUADAGENT

QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine.^[206]

S0262 QuasarRAT

QuasarRAT can launch a remote shell to execute commands on the victim’s machine.^[227]

S0481 Ragnar Locker

Ragnar Locker has used cmd.exe and batch scripts to execute commands.^[228]

S0629 RainyDay

RainyDay can use the Windows Command Shell for execution.^[196]

G0075 Rancor

Rancor has used cmd.exe to execute commmands.^[217]

S0241 RATANKBA

RATANKBA uses cmd.exe to execute commands.^[229]^[230]

S0495 RDAT

RDAT has executed commands using cmd.exe /c.^[231]

S0153 RedLeaves

RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.^[177]^[232]

S0332 Remcos

Remcos can launch a remote command line to execute commands on the victim’s machine.^[233]

S0375 Remexi

Remexi silently executes received commands with cmd.exe.^[234]

S0379 Revenge RAT

Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine.^[235]

S0496 REvil

REvil can use the Windows command line to delete volume shadow copies and disable recovery.^[236]^[237]^[238]^[239]

S0258 RGDoor

RGDoor uses cmd.exe to execute commands on the victim’s machine.^[240]

S0448 Rising Sun

Rising Sun executed commands using cmd.exe.^[241]

S0400 RobbinHood

RobbinHood uses cmd.exe on the victim's computer.^[242]

S0270 RogueRobin

RogueRobin uses Windows Script Components.^[243]^[244]

S0148 RTM

RTM uses the command line and rundll32.exe to execute.^[245]

S0253 RunningRAT

RunningRAT uses a batch file to kill a security program task and then attempts to remove itself.^[116]

S0446 Ryuk

Ryuk has used cmd.exe to create a Registry entry to establish persistence.^[246]

S0074 Sakula

Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.^[247]

S0370 SamSam

SamSam uses custom batch scripts to execute some of its components.^[248]

G0034 Sandworm Team

Sandworm Team has run the xp_cmdshell command in MS-SQL.^[249]

S0461 SDBbot

SDBbot has the ability to use the command shell to execute commands on a compromised host.^[250]

S0053 SeaDuke

SeaDuke is capable of executing commands.^[251]

S0345 Seasalt

Seasalt uses cmd.exe to create a reverse shell on the infected endpoint.^[42]

S0185 SEASHARPEE

SEASHARPEE can execute commands on victims.^[252]

S0382 ServHelper

ServHelper can execute shell commands against cmd.^[253]^[254]

S0639 Seth-Locker

Seth-Locker can execute commands via the command line shell.^[255]

S0546 SharpStage

SharpStage can execute arbitrary commands with the command line.^[89]^[90]

S0444 ShimRat

ShimRat can be issued a command shell function from the C2.^[256]

S0610 SideTwist

SideTwist can execute shell commands on a compromised host.^[257]

G0091 Silence

Silence has used Windows command-line to run commands.^[258]^[259]^[260]

S0623 Siloscape

Siloscape can run cmd through an IRC channel.^[261]

S0533 SLOTHFULMEDIA

SLOTHFULMEDIA can open a command line to execute commands.^[262]

S0159 SNUGRIDE

SNUGRIDE is capable of executing commands and spawning a reverse shell.^[232]

G0054 Sowbug

Sowbug has used command line during its intrusions.^[263]

S0543 Spark

Spark can use cmd.exe to run commands.^[264]

S0390 SQLRat

SQLRat has used SQL to execute JavaScript and VB scripts on the host system.^[107]

S0142 StreamEx

StreamEx has the ability to remotely execute commands.^[265]

G0039 Suckfly

Several tools used by Suckfly have been command-line driven.^[266]

S0464 SYSCON

SYSCON has the ability to execute commands through cmd on a compromised host.^[54]

G0092 TA505

TA505 has executed commands using cmd.exe.^[267]

G0127 TA551

TA551 has used cmd.exe to execute commands.^[268]

S0011 Taidoor

Taidoor can copy cmd.exe into the system temp folder.^[269]

S0586 TAINTEDSCRIBE

TAINTEDSCRIBE can enable Windows CLI access and execute files.^[270]

S0164 TDTESS

TDTESS provides a reverse shell on the victim.^[271]

G0139 TeamTNT

TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.^[272]

S0146 TEXTMATE

TEXTMATE executes cmd.exe to provide a reverse shell to adversaries.^[273]^[274]

G0028 Threat Group-1314

Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.^[275]

G0027 Threat Group-3390

Threat Group-3390 has used command-line interfaces for execution.^[58]^[276]

S0004 TinyZBot

TinyZBot supports execution from the command-line.^[277]

S0266 TrickBot

TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.^[278]

S0094 Trojan.Karagany

Trojan.Karagany can perform reconnaissance commands on a victim machine via a cmd.exe process.^[279]

G0081 Tropic Trooper

Tropic Trooper has used Windows command scripts.^[280]

S0436 TSCookie

TSCookie has the ability to execute shell commands on the infected host.^[281]

S0647 Turian

Turian can create a remote shell and execute commands using cmd.^[282]

G0010 Turla

Turla RPC backdoors have used cmd.exe to execute commands.^[283]^[284]

S0199 TURNEDUP

TURNEDUP is capable of creating a reverse shell.^[285]

S0263 TYPEFRAME

TYPEFRAME can uninstall malware components using a batch script.^[286] TYPEFRAME can execute commands using a shell.^[286]

S0333 UBoatRAT

UBoatRAT can start a command shell.^[287]

S0221 Umbreon

Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet^[288]

S0275 UPPERCUT

UPPERCUT uses cmd.exe to execute commands on the victim’s machine.^[179]

S0452 USBferry

USBferry can execute various Windows commands.^[280]

S0180 Volgmer

Volgmer can execute commands on the victim's machine.^[289]^[290]

S0612 WastedLocker

WastedLocker has used cmd to execute commands on the system.^[291]

S0109 WEBC2

WEBC2 can open an interactive command shell.^[9]

S0514 WellMess

WellMess can execute command line scripts received from C2.^[292]