What can someone do with (non-admin) command prompt on a network?
Say that an organization has a closed network - only its own computers can access it. Each of these computers has Windows 10 Enterprise. For obvious reasons, users aren't given administrator privileges. Anyone within the organization can easily get physical access to one of these devices. The organization is large enough (think university or big corporation) that users shouldn't be trusted.
What are the advantages of blocking cmd.exe
? That is, what could a user do (bypassing filters, infecting other devices, installing unapproved software, etc.) from a non-elevated Command Prompt that they couldn't do without it?
No network is completely secure, especially if the potential hackers have physical access, but I want to know how much of a difference Command Prompt would make.
I assume that PowerShell and third-party programs like Git Bash would be about the same security-wise, but if there are significant differences, those would be helpful to know.
network windows windows-10 windows-permissions
add a comment |
Say that an organization has a closed network - only its own computers can access it. Each of these computers has Windows 10 Enterprise. For obvious reasons, users aren't given administrator privileges. Anyone within the organization can easily get physical access to one of these devices. The organization is large enough (think university or big corporation) that users shouldn't be trusted.
What are the advantages of blocking cmd.exe
? That is, what could a user do (bypassing filters, infecting other devices, installing unapproved software, etc.) from a non-elevated Command Prompt that they couldn't do without it?
No network is completely secure, especially if the potential hackers have physical access, but I want to know how much of a difference Command Prompt would make.
I assume that PowerShell and third-party programs like Git Bash would be about the same security-wise, but if there are significant differences, those would be helpful to know.
network windows windows-10 windows-permissions
add a comment |
Say that an organization has a closed network - only its own computers can access it. Each of these computers has Windows 10 Enterprise. For obvious reasons, users aren't given administrator privileges. Anyone within the organization can easily get physical access to one of these devices. The organization is large enough (think university or big corporation) that users shouldn't be trusted.
What are the advantages of blocking cmd.exe
? That is, what could a user do (bypassing filters, infecting other devices, installing unapproved software, etc.) from a non-elevated Command Prompt that they couldn't do without it?
No network is completely secure, especially if the potential hackers have physical access, but I want to know how much of a difference Command Prompt would make.
I assume that PowerShell and third-party programs like Git Bash would be about the same security-wise, but if there are significant differences, those would be helpful to know.
network windows windows-10 windows-permissions
Say that an organization has a closed network - only its own computers can access it. Each of these computers has Windows 10 Enterprise. For obvious reasons, users aren't given administrator privileges. Anyone within the organization can easily get physical access to one of these devices. The organization is large enough (think university or big corporation) that users shouldn't be trusted.
What are the advantages of blocking cmd.exe
? That is, what could a user do (bypassing filters, infecting other devices, installing unapproved software, etc.) from a non-elevated Command Prompt that they couldn't do without it?
No network is completely secure, especially if the potential hackers have physical access, but I want to know how much of a difference Command Prompt would make.
I assume that PowerShell and third-party programs like Git Bash would be about the same security-wise, but if there are significant differences, those would be helpful to know.
network windows windows-10 windows-permissions
network windows windows-10 windows-permissions
asked Dec 5 at 0:49
Leo Wilson
1235
1235
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
There's nothing you can do with cmd
that you can't do with any other program, except run cmd
. This will actually break some malware that specifically tries to invoke cmd
without having fallbacks to other shells, but it will also break some legit software that uses functions such as system
or otherwise spawns cmd
processes. In general, cmd
isn't a well-favored target for attack payloads - its scripting language is weak and a hassle to code for, and the much more capable powershell
can now be expected on basically all Windows installs - but it is still the default shell and therefore some stuff will use it by default. If the attacker already has the ability to run arbitrary code other than cmd
, the presence or absence ability to run cmd
itself is mostly irrelevant.
If most software is blocked (even stuff that doesn't need admin) - that is, if software is whitelisted rather than blacklisted - then cmd
might make a difference. It facilitates some moderately tricky things like creating symlinks, hardlinks, and junctions (via its mklink
built-in), and its scripting language, awful though it is, is better than nothing in the case that powershell
, WSH (cscript
or wscript
), and so on are blocked and so is running arbitrary downloaded, compiled, or remote executables. An attack that wanted to do something like that might fail if the system was sufficiently locked down. However, most of what cmd
can do is somewhat redundant (and it can't actually do much). Since some other software (such as explorer
, the Windows graphical shell) would presumably still be available, most basic shell operations (navigating the file system, copying/moving/deleting files, launching programs, setting file metadata, accessing environment variables, etc.) would probably be available without cmd
, and similarly things like editing files would presumably be available through notepad
or some other editor. Running command-line programs (such as reg
, the command-line registry utility) doesn't require cmd
; they can be invoked (with arbitrary arguments) from within explorer
.
add a comment |
A user could download mIRC, and execute cmd with admin priviliges through a /dde command, for example.
mIRC is an Internet Relay Chat program. It can run in user mode. But it has a built in DDE Server, that when initialized runs in SYSTEM. If you know how to start/call this server, you can make an administrator privileged CMD.exe console appear. From then on, you can do whatever you like.
– Federico
Dec 5 at 1:26
Would there be a way to block elevated command prompt without blocking it entirely?
– Leo Wilson
Dec 5 at 1:35
1
You can't install a service, or launch a process as SYSTEM, without already having elevated permissions at some point. Downloading the mIRC installer doesn't mean you can run it, and if you do run it without Admin privileges, it won't be able to install an elevated server. Also, none of this has anything to do with CMD; you could do it without any shell process being available at all.
– CBHacking
Dec 5 at 1:40
try it yourself. /ddeserver on mIRC
– Federico
Dec 5 at 1:48
3
The mIRC installer requires admin privileges, so that's a "problem" by itself for this "answer". Just for you, I went and installed it anyhow. Turning on the DDEserver (which just means "a window in this process listens for inter-process messages" doesn't launch any new processes, as SYSTEM or otherwise. Nor does the command you gave launch a privileged process. If you think it does, go ask another question about how it does that (and be prepared to provide functional repro steps).
– CBHacking
Dec 5 at 2:38
|
show 7 more comments
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199108%2fwhat-can-someone-do-with-non-admin-command-prompt-on-a-network%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
There's nothing you can do with cmd
that you can't do with any other program, except run cmd
. This will actually break some malware that specifically tries to invoke cmd
without having fallbacks to other shells, but it will also break some legit software that uses functions such as system
or otherwise spawns cmd
processes. In general, cmd
isn't a well-favored target for attack payloads - its scripting language is weak and a hassle to code for, and the much more capable powershell
can now be expected on basically all Windows installs - but it is still the default shell and therefore some stuff will use it by default. If the attacker already has the ability to run arbitrary code other than cmd
, the presence or absence ability to run cmd
itself is mostly irrelevant.
If most software is blocked (even stuff that doesn't need admin) - that is, if software is whitelisted rather than blacklisted - then cmd
might make a difference. It facilitates some moderately tricky things like creating symlinks, hardlinks, and junctions (via its mklink
built-in), and its scripting language, awful though it is, is better than nothing in the case that powershell
, WSH (cscript
or wscript
), and so on are blocked and so is running arbitrary downloaded, compiled, or remote executables. An attack that wanted to do something like that might fail if the system was sufficiently locked down. However, most of what cmd
can do is somewhat redundant (and it can't actually do much). Since some other software (such as explorer
, the Windows graphical shell) would presumably still be available, most basic shell operations (navigating the file system, copying/moving/deleting files, launching programs, setting file metadata, accessing environment variables, etc.) would probably be available without cmd
, and similarly things like editing files would presumably be available through notepad
or some other editor. Running command-line programs (such as reg
, the command-line registry utility) doesn't require cmd
; they can be invoked (with arbitrary arguments) from within explorer
.
add a comment |
There's nothing you can do with cmd
that you can't do with any other program, except run cmd
. This will actually break some malware that specifically tries to invoke cmd
without having fallbacks to other shells, but it will also break some legit software that uses functions such as system
or otherwise spawns cmd
processes. In general, cmd
isn't a well-favored target for attack payloads - its scripting language is weak and a hassle to code for, and the much more capable powershell
can now be expected on basically all Windows installs - but it is still the default shell and therefore some stuff will use it by default. If the attacker already has the ability to run arbitrary code other than cmd
, the presence or absence ability to run cmd
itself is mostly irrelevant.
If most software is blocked (even stuff that doesn't need admin) - that is, if software is whitelisted rather than blacklisted - then cmd
might make a difference. It facilitates some moderately tricky things like creating symlinks, hardlinks, and junctions (via its mklink
built-in), and its scripting language, awful though it is, is better than nothing in the case that powershell
, WSH (cscript
or wscript
), and so on are blocked and so is running arbitrary downloaded, compiled, or remote executables. An attack that wanted to do something like that might fail if the system was sufficiently locked down. However, most of what cmd
can do is somewhat redundant (and it can't actually do much). Since some other software (such as explorer
, the Windows graphical shell) would presumably still be available, most basic shell operations (navigating the file system, copying/moving/deleting files, launching programs, setting file metadata, accessing environment variables, etc.) would probably be available without cmd
, and similarly things like editing files would presumably be available through notepad
or some other editor. Running command-line programs (such as reg
, the command-line registry utility) doesn't require cmd
; they can be invoked (with arbitrary arguments) from within explorer
.
add a comment |
There's nothing you can do with cmd
that you can't do with any other program, except run cmd
. This will actually break some malware that specifically tries to invoke cmd
without having fallbacks to other shells, but it will also break some legit software that uses functions such as system
or otherwise spawns cmd
processes. In general, cmd
isn't a well-favored target for attack payloads - its scripting language is weak and a hassle to code for, and the much more capable powershell
can now be expected on basically all Windows installs - but it is still the default shell and therefore some stuff will use it by default. If the attacker already has the ability to run arbitrary code other than cmd
, the presence or absence ability to run cmd
itself is mostly irrelevant.
If most software is blocked (even stuff that doesn't need admin) - that is, if software is whitelisted rather than blacklisted - then cmd
might make a difference. It facilitates some moderately tricky things like creating symlinks, hardlinks, and junctions (via its mklink
built-in), and its scripting language, awful though it is, is better than nothing in the case that powershell
, WSH (cscript
or wscript
), and so on are blocked and so is running arbitrary downloaded, compiled, or remote executables. An attack that wanted to do something like that might fail if the system was sufficiently locked down. However, most of what cmd
can do is somewhat redundant (and it can't actually do much). Since some other software (such as explorer
, the Windows graphical shell) would presumably still be available, most basic shell operations (navigating the file system, copying/moving/deleting files, launching programs, setting file metadata, accessing environment variables, etc.) would probably be available without cmd
, and similarly things like editing files would presumably be available through notepad
or some other editor. Running command-line programs (such as reg
, the command-line registry utility) doesn't require cmd
; they can be invoked (with arbitrary arguments) from within explorer
.
There's nothing you can do with cmd
that you can't do with any other program, except run cmd
. This will actually break some malware that specifically tries to invoke cmd
without having fallbacks to other shells, but it will also break some legit software that uses functions such as system
or otherwise spawns cmd
processes. In general, cmd
isn't a well-favored target for attack payloads - its scripting language is weak and a hassle to code for, and the much more capable powershell
can now be expected on basically all Windows installs - but it is still the default shell and therefore some stuff will use it by default. If the attacker already has the ability to run arbitrary code other than cmd
, the presence or absence ability to run cmd
itself is mostly irrelevant.
If most software is blocked (even stuff that doesn't need admin) - that is, if software is whitelisted rather than blacklisted - then cmd
might make a difference. It facilitates some moderately tricky things like creating symlinks, hardlinks, and junctions (via its mklink
built-in), and its scripting language, awful though it is, is better than nothing in the case that powershell
, WSH (cscript
or wscript
), and so on are blocked and so is running arbitrary downloaded, compiled, or remote executables. An attack that wanted to do something like that might fail if the system was sufficiently locked down. However, most of what cmd
can do is somewhat redundant (and it can't actually do much). Since some other software (such as explorer
, the Windows graphical shell) would presumably still be available, most basic shell operations (navigating the file system, copying/moving/deleting files, launching programs, setting file metadata, accessing environment variables, etc.) would probably be available without cmd
, and similarly things like editing files would presumably be available through notepad
or some other editor. Running command-line programs (such as reg
, the command-line registry utility) doesn't require cmd
; they can be invoked (with arbitrary arguments) from within explorer
.
answered Dec 5 at 2:38
CBHacking
9,60711627
9,60711627
add a comment |
add a comment |
A user could download mIRC, and execute cmd with admin priviliges through a /dde command, for example.
mIRC is an Internet Relay Chat program. It can run in user mode. But it has a built in DDE Server, that when initialized runs in SYSTEM. If you know how to start/call this server, you can make an administrator privileged CMD.exe console appear. From then on, you can do whatever you like.
– Federico
Dec 5 at 1:26
Would there be a way to block elevated command prompt without blocking it entirely?
– Leo Wilson
Dec 5 at 1:35
1
You can't install a service, or launch a process as SYSTEM, without already having elevated permissions at some point. Downloading the mIRC installer doesn't mean you can run it, and if you do run it without Admin privileges, it won't be able to install an elevated server. Also, none of this has anything to do with CMD; you could do it without any shell process being available at all.
– CBHacking
Dec 5 at 1:40
try it yourself. /ddeserver on mIRC
– Federico
Dec 5 at 1:48
3
The mIRC installer requires admin privileges, so that's a "problem" by itself for this "answer". Just for you, I went and installed it anyhow. Turning on the DDEserver (which just means "a window in this process listens for inter-process messages" doesn't launch any new processes, as SYSTEM or otherwise. Nor does the command you gave launch a privileged process. If you think it does, go ask another question about how it does that (and be prepared to provide functional repro steps).
– CBHacking
Dec 5 at 2:38
|
show 7 more comments
A user could download mIRC, and execute cmd with admin priviliges through a /dde command, for example.
mIRC is an Internet Relay Chat program. It can run in user mode. But it has a built in DDE Server, that when initialized runs in SYSTEM. If you know how to start/call this server, you can make an administrator privileged CMD.exe console appear. From then on, you can do whatever you like.
– Federico
Dec 5 at 1:26
Would there be a way to block elevated command prompt without blocking it entirely?
– Leo Wilson
Dec 5 at 1:35
1
You can't install a service, or launch a process as SYSTEM, without already having elevated permissions at some point. Downloading the mIRC installer doesn't mean you can run it, and if you do run it without Admin privileges, it won't be able to install an elevated server. Also, none of this has anything to do with CMD; you could do it without any shell process being available at all.
– CBHacking
Dec 5 at 1:40
try it yourself. /ddeserver on mIRC
– Federico
Dec 5 at 1:48
3
The mIRC installer requires admin privileges, so that's a "problem" by itself for this "answer". Just for you, I went and installed it anyhow. Turning on the DDEserver (which just means "a window in this process listens for inter-process messages" doesn't launch any new processes, as SYSTEM or otherwise. Nor does the command you gave launch a privileged process. If you think it does, go ask another question about how it does that (and be prepared to provide functional repro steps).
– CBHacking
Dec 5 at 2:38
|
show 7 more comments
A user could download mIRC, and execute cmd with admin priviliges through a /dde command, for example.
A user could download mIRC, and execute cmd with admin priviliges through a /dde command, for example.
answered Dec 5 at 0:59
Federico
372
372
mIRC is an Internet Relay Chat program. It can run in user mode. But it has a built in DDE Server, that when initialized runs in SYSTEM. If you know how to start/call this server, you can make an administrator privileged CMD.exe console appear. From then on, you can do whatever you like.
– Federico
Dec 5 at 1:26
Would there be a way to block elevated command prompt without blocking it entirely?
– Leo Wilson
Dec 5 at 1:35
1
You can't install a service, or launch a process as SYSTEM, without already having elevated permissions at some point. Downloading the mIRC installer doesn't mean you can run it, and if you do run it without Admin privileges, it won't be able to install an elevated server. Also, none of this has anything to do with CMD; you could do it without any shell process being available at all.
– CBHacking
Dec 5 at 1:40
try it yourself. /ddeserver on mIRC
– Federico
Dec 5 at 1:48
3
The mIRC installer requires admin privileges, so that's a "problem" by itself for this "answer". Just for you, I went and installed it anyhow. Turning on the DDEserver (which just means "a window in this process listens for inter-process messages" doesn't launch any new processes, as SYSTEM or otherwise. Nor does the command you gave launch a privileged process. If you think it does, go ask another question about how it does that (and be prepared to provide functional repro steps).
– CBHacking
Dec 5 at 2:38
|
show 7 more comments
mIRC is an Internet Relay Chat program. It can run in user mode. But it has a built in DDE Server, that when initialized runs in SYSTEM. If you know how to start/call this server, you can make an administrator privileged CMD.exe console appear. From then on, you can do whatever you like.
– Federico
Dec 5 at 1:26
Would there be a way to block elevated command prompt without blocking it entirely?
– Leo Wilson
Dec 5 at 1:35
1
You can't install a service, or launch a process as SYSTEM, without already having elevated permissions at some point. Downloading the mIRC installer doesn't mean you can run it, and if you do run it without Admin privileges, it won't be able to install an elevated server. Also, none of this has anything to do with CMD; you could do it without any shell process being available at all.
– CBHacking
Dec 5 at 1:40
try it yourself. /ddeserver on mIRC
– Federico
Dec 5 at 1:48
3
The mIRC installer requires admin privileges, so that's a "problem" by itself for this "answer". Just for you, I went and installed it anyhow. Turning on the DDEserver (which just means "a window in this process listens for inter-process messages" doesn't launch any new processes, as SYSTEM or otherwise. Nor does the command you gave launch a privileged process. If you think it does, go ask another question about how it does that (and be prepared to provide functional repro steps).
– CBHacking
Dec 5 at 2:38
mIRC is an Internet Relay Chat program. It can run in user mode. But it has a built in DDE Server, that when initialized runs in SYSTEM. If you know how to start/call this server, you can make an administrator privileged CMD.exe console appear. From then on, you can do whatever you like.
– Federico
Dec 5 at 1:26
mIRC is an Internet Relay Chat program. It can run in user mode. But it has a built in DDE Server, that when initialized runs in SYSTEM. If you know how to start/call this server, you can make an administrator privileged CMD.exe console appear. From then on, you can do whatever you like.
– Federico
Dec 5 at 1:26
Would there be a way to block elevated command prompt without blocking it entirely?
– Leo Wilson
Dec 5 at 1:35
Would there be a way to block elevated command prompt without blocking it entirely?
– Leo Wilson
Dec 5 at 1:35
1
1
You can't install a service, or launch a process as SYSTEM, without already having elevated permissions at some point. Downloading the mIRC installer doesn't mean you can run it, and if you do run it without Admin privileges, it won't be able to install an elevated server. Also, none of this has anything to do with CMD; you could do it without any shell process being available at all.
– CBHacking
Dec 5 at 1:40
You can't install a service, or launch a process as SYSTEM, without already having elevated permissions at some point. Downloading the mIRC installer doesn't mean you can run it, and if you do run it without Admin privileges, it won't be able to install an elevated server. Also, none of this has anything to do with CMD; you could do it without any shell process being available at all.
– CBHacking
Dec 5 at 1:40
try it yourself. /ddeserver on mIRC
– Federico
Dec 5 at 1:48
try it yourself. /ddeserver on mIRC
– Federico
Dec 5 at 1:48
3
3
The mIRC installer requires admin privileges, so that's a "problem" by itself for this "answer". Just for you, I went and installed it anyhow. Turning on the DDEserver (which just means "a window in this process listens for inter-process messages" doesn't launch any new processes, as SYSTEM or otherwise. Nor does the command you gave launch a privileged process. If you think it does, go ask another question about how it does that (and be prepared to provide functional repro steps).
– CBHacking
Dec 5 at 2:38
The mIRC installer requires admin privileges, so that's a "problem" by itself for this "answer". Just for you, I went and installed it anyhow. Turning on the DDEserver (which just means "a window in this process listens for inter-process messages" doesn't launch any new processes, as SYSTEM or otherwise. Nor does the command you gave launch a privileged process. If you think it does, go ask another question about how it does that (and be prepared to provide functional repro steps).
– CBHacking
Dec 5 at 2:38
|
show 7 more comments
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199108%2fwhat-can-someone-do-with-non-admin-command-prompt-on-a-network%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown