S0106: cmd
cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [1]
Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [2]), deleting files (e.g., del [3]), and copying files (e.g., copy [4]).
Analyst context for executives and security teams
cmd.exe is a legitimate Windows command interpreter, which makes it business-relevant because the same utility administrators use can also support execution, discovery, file movement, and cleanup behaviors. Its value to defenders is not in blocking cmd outright, but in proving whether the organization can distinguish normal administrative command-line use from suspicious use tied to ATT&CK techniques such as Windows Command Shell, file and directory discovery, file deletion, ingress tool transfer, and lateral tool transfer.
Executive priority
Treat cmd activity as a visibility and response-readiness issue for Windows environments. Leaders should ask whether endpoint logging, SOC analytics, and incident response procedures can reconstruct who launched cmd, from where, with what command line, and what files or child processes were affected. Because ATT&CK relationships associate cmd with multiple groups and a campaign, including activity descriptions involving healthcare, telecommunications, government, manufacturing, and critical infrastructure targeting, coverage should be prioritized where Windows systems support sensitive operations, regulated data, or business-critical services.
Technical view
For SOC and detection engineering teams, the key validation is process context: parent process, child processes, command-line arguments, user identity, host role, working directory, file operations, and any network or remote-service context available in local telemetry. ATT&CK provides no official detection text for this software object, so detections should be derived from the related techniques: T1059.003 for command-shell execution, T1082 and T1083 for discovery, T1070.004 for deletion, T1105 for inbound tool transfer, and T1570 for internal file transfer. Focus on abnormal cmd invocation patterns for the host and user rather than the mere presence of cmd.exe.
Likely telemetry
- Windows process creation events including image name, full command line, parent process, child process, user, integrity/context, host, and timestamp
- Endpoint detection and response records showing command execution chains and file activity
- File creation, copy, deletion, and directory enumeration evidence where collected
- Authentication and session context for the user or service account that launched cmd
- Remote administration or remote service context when cmd is invoked through another management path
Detection direction
- Baseline legitimate administrative cmd usage by role, server type, and management tooling before alerting on cmd.exe alone.
- Tune for suspicious parent-child relationships, unusual users, unusual working directories, command lines involving discovery, deletion, copy, or transfer behavior, and cmd activity on systems where interactive shell use is rare.
- Correlate cmd execution with ATT&CK-related behaviors rather than treating it as a standalone indicator: discovery followed by file transfer or deletion is more meaningful than isolated benign commands.
- Validate whether command-line logging is complete; many environments collect process start events but omit full arguments, which materially weakens investigation value.
- Account for false positives from scripts, software deployment, help desk activity, and administrative maintenance; require user, host, time, and change-ticket context where possible.
Mitigation priorities
- Prioritize visibility first: ensure Windows endpoint and SOC pipelines capture process creation with command-line detail and retain it long enough for incident response.
- Apply least privilege and administrative access controls so cmd launched by standard users, service accounts, or remote sessions has constrained ability to modify systems or move files.
- Limit and monitor remote administration paths that can invoke command shells, especially on high-value Windows systems.
- Harden file share permissions and monitor copy/delete activity relevant to lateral tool transfer and file deletion behaviors.
- Prepare IR playbooks that preserve process trees, command lines, file paths, account context, and related network/file-transfer evidence before remediation.
Analyst notes and limits
The supplied object is a software/tool entry for the native Windows command interpreter, not a malware family. Its importance comes from dual-use behavior and its relationships to multiple ATT&CK techniques and several groups/campaigns. Glexia would use this object to drive control validation: do we see command execution clearly, can we separate routine administration from suspicious sequences, and can IR reconstruct discovery, file movement, or deletion activity?
MITRE provides no official detection guidance for this object, and the tool-level tactics are not specified. The supplied data supports Windows as the platform for cmd, while several related techniques list broader platforms; conclusions here are therefore scoped to Windows cmd usage. Local baselines, host roles, logging configuration, and administrative practices are required to determine suspiciousness.
cmd
cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [1]
Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [2]), deleting files (e.g., del [3]), and copying files (e.g., copy [4]).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | cmd can be used to find files and directories with native functionality such as |
| Enterprise | T1105 | Ingress Tool Transfer | cmd can be used to copy files to/from a remotely connected external system.CitationTechNet Copy |
| Enterprise | T1082 | System Information Discovery | cmd can be used to find information about the operating system.CitationTechNet Dir |
| Enterprise | T1070.004 | File Deletion Sub-technique | cmd can be used to delete files from the file system.CitationTechNet Del |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | cmd is used to execute programs and other actions at the command-line interface.CitationTechNet Cmd |
| Enterprise | T1570 | Lateral Tool Transfer | cmd can be used to copy files to/from a remotely connected internal system.CitationTechNet Copy |
Groups, software, and campaigns
G0093: GALLIUM
GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]
G0060: BRONZE BUTLER
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]
G0026: APT18
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
G0071: Orangeworm
Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.[1] Reverse engineering of Kwampirs, directly associated with Orangeworm activity, indicates significant functional and development overlaps with Shamoon.[2]
G1017: Volt Typhoon
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].
Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]
C0006: Operation Honeybee
Operation Honeybee was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. Operation Honeybee initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign "Honeybee" after the author name discovered in malicious Word documents.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | c8b878ee2008… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TechNet Cmd
Microsoft. (n.d.). Cmd. Retrieved April 18, 2016.
Open source URL -
[2]
TechNet Dir
Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
Open source URL -
[3]
TechNet Del
Microsoft. (n.d.). Del. Retrieved April 22, 2016.
Open source URL -
[4]
TechNet Copy
Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
Open source URL -
[5]
mitre-attack S0106Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.