MITRE ATT&CK Technique
Description
Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows) Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems. Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-03-09T14:12:31.196Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse the Windows command shell for '
'execution. The Windows command shell '
'([cmd](https://attack.mitre.org/software/S0106)) is the '
'primary command prompt on Windows systems. The Windows '
'command prompt can be used to control almost any aspect of a '
'system, with various permission levels required for different '
'subsets of commands. The command prompt can be invoked '
'remotely via [Remote '
'Services](https://attack.mitre.org/techniques/T1021) such as '
'[SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: '
'SSH in Windows)\n'
'\n'
'Batch files (ex: .bat or .cmd) also provide the shell with a '
'list of sequential commands to run, as well as normal '
'scripting operations such as conditionals and loops. Common '
'uses of batch files include long or repetitive tasks, or the '
'need to run the same set of commands on multiple systems.\n'
'\n'
'Adversaries may leverage '
'[cmd](https://attack.mitre.org/software/S0106) to execute '
'various commands and payloads. Common uses include '
'[cmd](https://attack.mitre.org/software/S0106) to execute a '
'single command, or abusing '
'[cmd](https://attack.mitre.org/software/S0106) interactively '
'with input and output forwarded over a command and control '
'channel.',
'external_references': [{'external_id': 'T1059.003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1059/003'},
{'description': 'Microsoft. (2020, May 19). Tutorial: '
'SSH in Windows Terminal. Retrieved '
'July 26, 2021.',
'source_name': 'SSH in Windows',
'url': 'https://docs.microsoft.com/en-us/windows/terminal/tutorials/ssh'}],
'id': 'attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'}],
'modified': '2025-10-24T17:49:25.722Z',
'name': 'Windows Command Shell',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_remote_support': False,
'x_mitre_version': '1.5'}