cmd

Windows CMD execution T1059.003

Windows Command Processor. Spawning cmd.exe is a common technique for executing commands, creating shells, and chaining operations.

Binary Paths

  • C:\Windows\System32\cmd.exe
  • C:\Windows\SysWOW64\cmd.exe

Glob Patterns

Pattern Notes
for /f %i in ('where cm?.exe') do %i /c whoami
Wildcard replaces 'd' — note: may also match cmp.exe if GNU tools are in PATH; prefer forfiles /p to scope to System32
for /f %i in ('where c*d.exe') do %i
Star matches 'm'
for /f %i in ('dir /b C:\Windows\System32\cm?.exe') do %i
dir glob search with wildcard
%COMSPEC%
Environment variable resolves to cmd.exe path — not a glob but a common evasion
for /f %i in ('where cmd*') do %i /c ...
Star suffix matches cmd.exe
forfiles /p C:\Windows\System32 /m cm?.exe /c "@file /c whoami"
forfiles ? wildcard in /m mask finds cmd.exe — @file expands to matched filename
C:\WINDOW~1\System32\cmd.exe /c whoami
8.3 SFN for the Windows directory — WINDOW~1 resolves to Windows; requires NtfsDisable8dot3NameCreation=0
%SystemRoot%\System32\%COMSPEC:~-7%
Substring extraction — %COMSPEC% is the full path to cmd.exe; :~-7 extracts last 7 chars ('cmd.exe'), combined with %SystemRoot% to form full path
for %i in (C:\Windows\System32\cm?.exe) do @%i /c whoami
Native CMD for loop with filesystem glob — cm? expands to cmd.exe directly in System32
for /f %i in ('where /r C:\Windows cm?.exe') do %i /c whoami
Recursive where search across Windows tree — finds cmd.exe in System32 and SysWOW64
set a=cm& set b=d& call %a%%b%.exe /c whoami
Binary name split across two SET variables — CALL resolves %a%%b%.exe=cmd.exe; name never appears as a literal string
cmd /v:on /c "set x=cmd& !x! /c whoami"
Delayed variable expansion — /v:on enables !var! syntax; !x! resolves at runtime, evading parse-time static analysis
for /f %i in ('where cm?.exe') do start "" /b %i /c whoami
start /b launches resolved cmd.exe as a background process — changes parent process attribution in event logs

Pattern Tester

$

Try typing cmd or a full path like C:\Windows\System32\cmd.exe

YARA Rule

Auto-generated detection rule for cmd 

      

    


    

    
    

      
Resources

      
    

    

    

  


  

    
    
    
    
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
    

      
      
        ← Previous
        chown
      
      

      Catalog

      
      
        Next →
        cscript