What can someone do with (non-admin) command prompt on a network?











up vote
2
down vote

favorite
2












Say that an organization has a closed network - only its own computers can access it. Each of these computers has Windows 10 Enterprise. For obvious reasons, users aren't given administrator privileges. Anyone within the organization can easily get physical access to one of these devices. The organization is large enough (think university or big corporation) that users shouldn't be trusted.



What are the advantages of blocking cmd.exe? That is, what could a user do (bypassing filters, infecting other devices, installing unapproved software, etc.) from a non-elevated Command Prompt that they couldn't do without it?



No network is completely secure, especially if the potential hackers have physical access, but I want to know how much of a difference Command Prompt would make.



I assume that PowerShell and third-party programs like Git Bash would be about the same security-wise, but if there are significant differences, those would be helpful to know.










share|improve this question


























    up vote
    2
    down vote

    favorite
    2












    Say that an organization has a closed network - only its own computers can access it. Each of these computers has Windows 10 Enterprise. For obvious reasons, users aren't given administrator privileges. Anyone within the organization can easily get physical access to one of these devices. The organization is large enough (think university or big corporation) that users shouldn't be trusted.



    What are the advantages of blocking cmd.exe? That is, what could a user do (bypassing filters, infecting other devices, installing unapproved software, etc.) from a non-elevated Command Prompt that they couldn't do without it?



    No network is completely secure, especially if the potential hackers have physical access, but I want to know how much of a difference Command Prompt would make.



    I assume that PowerShell and third-party programs like Git Bash would be about the same security-wise, but if there are significant differences, those would be helpful to know.










    share|improve this question
























      up vote
      2
      down vote

      favorite
      2









      up vote
      2
      down vote

      favorite
      2






      2





      Say that an organization has a closed network - only its own computers can access it. Each of these computers has Windows 10 Enterprise. For obvious reasons, users aren't given administrator privileges. Anyone within the organization can easily get physical access to one of these devices. The organization is large enough (think university or big corporation) that users shouldn't be trusted.



      What are the advantages of blocking cmd.exe? That is, what could a user do (bypassing filters, infecting other devices, installing unapproved software, etc.) from a non-elevated Command Prompt that they couldn't do without it?



      No network is completely secure, especially if the potential hackers have physical access, but I want to know how much of a difference Command Prompt would make.



      I assume that PowerShell and third-party programs like Git Bash would be about the same security-wise, but if there are significant differences, those would be helpful to know.










      share|improve this question













      Say that an organization has a closed network - only its own computers can access it. Each of these computers has Windows 10 Enterprise. For obvious reasons, users aren't given administrator privileges. Anyone within the organization can easily get physical access to one of these devices. The organization is large enough (think university or big corporation) that users shouldn't be trusted.



      What are the advantages of blocking cmd.exe? That is, what could a user do (bypassing filters, infecting other devices, installing unapproved software, etc.) from a non-elevated Command Prompt that they couldn't do without it?



      No network is completely secure, especially if the potential hackers have physical access, but I want to know how much of a difference Command Prompt would make.



      I assume that PowerShell and third-party programs like Git Bash would be about the same security-wise, but if there are significant differences, those would be helpful to know.







      network windows windows-10 windows-permissions






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Dec 5 at 0:49









      Leo Wilson

      1235




      1235






















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          5
          down vote



          accepted










          There's nothing you can do with cmd that you can't do with any other program, except run cmd. This will actually break some malware that specifically tries to invoke cmd without having fallbacks to other shells, but it will also break some legit software that uses functions such as system or otherwise spawns cmd processes. In general, cmd isn't a well-favored target for attack payloads - its scripting language is weak and a hassle to code for, and the much more capable powershell can now be expected on basically all Windows installs - but it is still the default shell and therefore some stuff will use it by default. If the attacker already has the ability to run arbitrary code other than cmd, the presence or absence ability to run cmd itself is mostly irrelevant.



          If most software is blocked (even stuff that doesn't need admin) - that is, if software is whitelisted rather than blacklisted - then cmd might make a difference. It facilitates some moderately tricky things like creating symlinks, hardlinks, and junctions (via its mklink built-in), and its scripting language, awful though it is, is better than nothing in the case that powershell, WSH (cscript or wscript), and so on are blocked and so is running arbitrary downloaded, compiled, or remote executables. An attack that wanted to do something like that might fail if the system was sufficiently locked down. However, most of what cmd can do is somewhat redundant (and it can't actually do much). Since some other software (such as explorer, the Windows graphical shell) would presumably still be available, most basic shell operations (navigating the file system, copying/moving/deleting files, launching programs, setting file metadata, accessing environment variables, etc.) would probably be available without cmd, and similarly things like editing files would presumably be available through notepad or some other editor. Running command-line programs (such as reg, the command-line registry utility) doesn't require cmd; they can be invoked (with arbitrary arguments) from within explorer.






          share|improve this answer




























            up vote
            -1
            down vote













            A user could download mIRC, and execute cmd with admin priviliges through a /dde command, for example.






            share|improve this answer





















            • mIRC is an Internet Relay Chat program. It can run in user mode. But it has a built in DDE Server, that when initialized runs in SYSTEM. If you know how to start/call this server, you can make an administrator privileged CMD.exe console appear. From then on, you can do whatever you like.
              – Federico
              Dec 5 at 1:26










            • Would there be a way to block elevated command prompt without blocking it entirely?
              – Leo Wilson
              Dec 5 at 1:35








            • 1




              You can't install a service, or launch a process as SYSTEM, without already having elevated permissions at some point. Downloading the mIRC installer doesn't mean you can run it, and if you do run it without Admin privileges, it won't be able to install an elevated server. Also, none of this has anything to do with CMD; you could do it without any shell process being available at all.
              – CBHacking
              Dec 5 at 1:40










            • try it yourself. /ddeserver on mIRC
              – Federico
              Dec 5 at 1:48






            • 3




              The mIRC installer requires admin privileges, so that's a "problem" by itself for this "answer". Just for you, I went and installed it anyhow. Turning on the DDEserver (which just means "a window in this process listens for inter-process messages" doesn't launch any new processes, as SYSTEM or otherwise. Nor does the command you gave launch a privileged process. If you think it does, go ask another question about how it does that (and be prepared to provide functional repro steps).
              – CBHacking
              Dec 5 at 2:38











            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "162"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199108%2fwhat-can-someone-do-with-non-admin-command-prompt-on-a-network%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            5
            down vote



            accepted










            There's nothing you can do with cmd that you can't do with any other program, except run cmd. This will actually break some malware that specifically tries to invoke cmd without having fallbacks to other shells, but it will also break some legit software that uses functions such as system or otherwise spawns cmd processes. In general, cmd isn't a well-favored target for attack payloads - its scripting language is weak and a hassle to code for, and the much more capable powershell can now be expected on basically all Windows installs - but it is still the default shell and therefore some stuff will use it by default. If the attacker already has the ability to run arbitrary code other than cmd, the presence or absence ability to run cmd itself is mostly irrelevant.



            If most software is blocked (even stuff that doesn't need admin) - that is, if software is whitelisted rather than blacklisted - then cmd might make a difference. It facilitates some moderately tricky things like creating symlinks, hardlinks, and junctions (via its mklink built-in), and its scripting language, awful though it is, is better than nothing in the case that powershell, WSH (cscript or wscript), and so on are blocked and so is running arbitrary downloaded, compiled, or remote executables. An attack that wanted to do something like that might fail if the system was sufficiently locked down. However, most of what cmd can do is somewhat redundant (and it can't actually do much). Since some other software (such as explorer, the Windows graphical shell) would presumably still be available, most basic shell operations (navigating the file system, copying/moving/deleting files, launching programs, setting file metadata, accessing environment variables, etc.) would probably be available without cmd, and similarly things like editing files would presumably be available through notepad or some other editor. Running command-line programs (such as reg, the command-line registry utility) doesn't require cmd; they can be invoked (with arbitrary arguments) from within explorer.






            share|improve this answer

























              up vote
              5
              down vote



              accepted










              There's nothing you can do with cmd that you can't do with any other program, except run cmd. This will actually break some malware that specifically tries to invoke cmd without having fallbacks to other shells, but it will also break some legit software that uses functions such as system or otherwise spawns cmd processes. In general, cmd isn't a well-favored target for attack payloads - its scripting language is weak and a hassle to code for, and the much more capable powershell can now be expected on basically all Windows installs - but it is still the default shell and therefore some stuff will use it by default. If the attacker already has the ability to run arbitrary code other than cmd, the presence or absence ability to run cmd itself is mostly irrelevant.



              If most software is blocked (even stuff that doesn't need admin) - that is, if software is whitelisted rather than blacklisted - then cmd might make a difference. It facilitates some moderately tricky things like creating symlinks, hardlinks, and junctions (via its mklink built-in), and its scripting language, awful though it is, is better than nothing in the case that powershell, WSH (cscript or wscript), and so on are blocked and so is running arbitrary downloaded, compiled, or remote executables. An attack that wanted to do something like that might fail if the system was sufficiently locked down. However, most of what cmd can do is somewhat redundant (and it can't actually do much). Since some other software (such as explorer, the Windows graphical shell) would presumably still be available, most basic shell operations (navigating the file system, copying/moving/deleting files, launching programs, setting file metadata, accessing environment variables, etc.) would probably be available without cmd, and similarly things like editing files would presumably be available through notepad or some other editor. Running command-line programs (such as reg, the command-line registry utility) doesn't require cmd; they can be invoked (with arbitrary arguments) from within explorer.






              share|improve this answer























                up vote
                5
                down vote



                accepted







                up vote
                5
                down vote



                accepted






                There's nothing you can do with cmd that you can't do with any other program, except run cmd. This will actually break some malware that specifically tries to invoke cmd without having fallbacks to other shells, but it will also break some legit software that uses functions such as system or otherwise spawns cmd processes. In general, cmd isn't a well-favored target for attack payloads - its scripting language is weak and a hassle to code for, and the much more capable powershell can now be expected on basically all Windows installs - but it is still the default shell and therefore some stuff will use it by default. If the attacker already has the ability to run arbitrary code other than cmd, the presence or absence ability to run cmd itself is mostly irrelevant.



                If most software is blocked (even stuff that doesn't need admin) - that is, if software is whitelisted rather than blacklisted - then cmd might make a difference. It facilitates some moderately tricky things like creating symlinks, hardlinks, and junctions (via its mklink built-in), and its scripting language, awful though it is, is better than nothing in the case that powershell, WSH (cscript or wscript), and so on are blocked and so is running arbitrary downloaded, compiled, or remote executables. An attack that wanted to do something like that might fail if the system was sufficiently locked down. However, most of what cmd can do is somewhat redundant (and it can't actually do much). Since some other software (such as explorer, the Windows graphical shell) would presumably still be available, most basic shell operations (navigating the file system, copying/moving/deleting files, launching programs, setting file metadata, accessing environment variables, etc.) would probably be available without cmd, and similarly things like editing files would presumably be available through notepad or some other editor. Running command-line programs (such as reg, the command-line registry utility) doesn't require cmd; they can be invoked (with arbitrary arguments) from within explorer.






                share|improve this answer












                There's nothing you can do with cmd that you can't do with any other program, except run cmd. This will actually break some malware that specifically tries to invoke cmd without having fallbacks to other shells, but it will also break some legit software that uses functions such as system or otherwise spawns cmd processes. In general, cmd isn't a well-favored target for attack payloads - its scripting language is weak and a hassle to code for, and the much more capable powershell can now be expected on basically all Windows installs - but it is still the default shell and therefore some stuff will use it by default. If the attacker already has the ability to run arbitrary code other than cmd, the presence or absence ability to run cmd itself is mostly irrelevant.



                If most software is blocked (even stuff that doesn't need admin) - that is, if software is whitelisted rather than blacklisted - then cmd might make a difference. It facilitates some moderately tricky things like creating symlinks, hardlinks, and junctions (via its mklink built-in), and its scripting language, awful though it is, is better than nothing in the case that powershell, WSH (cscript or wscript), and so on are blocked and so is running arbitrary downloaded, compiled, or remote executables. An attack that wanted to do something like that might fail if the system was sufficiently locked down. However, most of what cmd can do is somewhat redundant (and it can't actually do much). Since some other software (such as explorer, the Windows graphical shell) would presumably still be available, most basic shell operations (navigating the file system, copying/moving/deleting files, launching programs, setting file metadata, accessing environment variables, etc.) would probably be available without cmd, and similarly things like editing files would presumably be available through notepad or some other editor. Running command-line programs (such as reg, the command-line registry utility) doesn't require cmd; they can be invoked (with arbitrary arguments) from within explorer.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Dec 5 at 2:38









                CBHacking

                9,54211627




                9,54211627
























                    up vote
                    -1
                    down vote













                    A user could download mIRC, and execute cmd with admin priviliges through a /dde command, for example.






                    share|improve this answer





















                    • mIRC is an Internet Relay Chat program. It can run in user mode. But it has a built in DDE Server, that when initialized runs in SYSTEM. If you know how to start/call this server, you can make an administrator privileged CMD.exe console appear. From then on, you can do whatever you like.
                      – Federico
                      Dec 5 at 1:26










                    • Would there be a way to block elevated command prompt without blocking it entirely?
                      – Leo Wilson
                      Dec 5 at 1:35








                    • 1




                      You can't install a service, or launch a process as SYSTEM, without already having elevated permissions at some point. Downloading the mIRC installer doesn't mean you can run it, and if you do run it without Admin privileges, it won't be able to install an elevated server. Also, none of this has anything to do with CMD; you could do it without any shell process being available at all.
                      – CBHacking
                      Dec 5 at 1:40










                    • try it yourself. /ddeserver on mIRC
                      – Federico
                      Dec 5 at 1:48






                    • 3




                      The mIRC installer requires admin privileges, so that's a "problem" by itself for this "answer". Just for you, I went and installed it anyhow. Turning on the DDEserver (which just means "a window in this process listens for inter-process messages" doesn't launch any new processes, as SYSTEM or otherwise. Nor does the command you gave launch a privileged process. If you think it does, go ask another question about how it does that (and be prepared to provide functional repro steps).
                      – CBHacking
                      Dec 5 at 2:38















                    up vote
                    -1
                    down vote













                    A user could download mIRC, and execute cmd with admin priviliges through a /dde command, for example.






                    share|improve this answer





















                    • mIRC is an Internet Relay Chat program. It can run in user mode. But it has a built in DDE Server, that when initialized runs in SYSTEM. If you know how to start/call this server, you can make an administrator privileged CMD.exe console appear. From then on, you can do whatever you like.
                      – Federico
                      Dec 5 at 1:26










                    • Would there be a way to block elevated command prompt without blocking it entirely?
                      – Leo Wilson
                      Dec 5 at 1:35








                    • 1




                      You can't install a service, or launch a process as SYSTEM, without already having elevated permissions at some point. Downloading the mIRC installer doesn't mean you can run it, and if you do run it without Admin privileges, it won't be able to install an elevated server. Also, none of this has anything to do with CMD; you could do it without any shell process being available at all.
                      – CBHacking
                      Dec 5 at 1:40










                    • try it yourself. /ddeserver on mIRC
                      – Federico
                      Dec 5 at 1:48






                    • 3




                      The mIRC installer requires admin privileges, so that's a "problem" by itself for this "answer". Just for you, I went and installed it anyhow. Turning on the DDEserver (which just means "a window in this process listens for inter-process messages" doesn't launch any new processes, as SYSTEM or otherwise. Nor does the command you gave launch a privileged process. If you think it does, go ask another question about how it does that (and be prepared to provide functional repro steps).
                      – CBHacking
                      Dec 5 at 2:38













                    up vote
                    -1
                    down vote










                    up vote
                    -1
                    down vote









                    A user could download mIRC, and execute cmd with admin priviliges through a /dde command, for example.






                    share|improve this answer












                    A user could download mIRC, and execute cmd with admin priviliges through a /dde command, for example.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Dec 5 at 0:59









                    Federico

                    372




                    372












                    • mIRC is an Internet Relay Chat program. It can run in user mode. But it has a built in DDE Server, that when initialized runs in SYSTEM. If you know how to start/call this server, you can make an administrator privileged CMD.exe console appear. From then on, you can do whatever you like.
                      – Federico
                      Dec 5 at 1:26










                    • Would there be a way to block elevated command prompt without blocking it entirely?
                      – Leo Wilson
                      Dec 5 at 1:35








                    • 1




                      You can't install a service, or launch a process as SYSTEM, without already having elevated permissions at some point. Downloading the mIRC installer doesn't mean you can run it, and if you do run it without Admin privileges, it won't be able to install an elevated server. Also, none of this has anything to do with CMD; you could do it without any shell process being available at all.
                      – CBHacking
                      Dec 5 at 1:40










                    • try it yourself. /ddeserver on mIRC
                      – Federico
                      Dec 5 at 1:48






                    • 3




                      The mIRC installer requires admin privileges, so that's a "problem" by itself for this "answer". Just for you, I went and installed it anyhow. Turning on the DDEserver (which just means "a window in this process listens for inter-process messages" doesn't launch any new processes, as SYSTEM or otherwise. Nor does the command you gave launch a privileged process. If you think it does, go ask another question about how it does that (and be prepared to provide functional repro steps).
                      – CBHacking
                      Dec 5 at 2:38


















                    • mIRC is an Internet Relay Chat program. It can run in user mode. But it has a built in DDE Server, that when initialized runs in SYSTEM. If you know how to start/call this server, you can make an administrator privileged CMD.exe console appear. From then on, you can do whatever you like.
                      – Federico
                      Dec 5 at 1:26










                    • Would there be a way to block elevated command prompt without blocking it entirely?
                      – Leo Wilson
                      Dec 5 at 1:35








                    • 1




                      You can't install a service, or launch a process as SYSTEM, without already having elevated permissions at some point. Downloading the mIRC installer doesn't mean you can run it, and if you do run it without Admin privileges, it won't be able to install an elevated server. Also, none of this has anything to do with CMD; you could do it without any shell process being available at all.
                      – CBHacking
                      Dec 5 at 1:40










                    • try it yourself. /ddeserver on mIRC
                      – Federico
                      Dec 5 at 1:48






                    • 3




                      The mIRC installer requires admin privileges, so that's a "problem" by itself for this "answer". Just for you, I went and installed it anyhow. Turning on the DDEserver (which just means "a window in this process listens for inter-process messages" doesn't launch any new processes, as SYSTEM or otherwise. Nor does the command you gave launch a privileged process. If you think it does, go ask another question about how it does that (and be prepared to provide functional repro steps).
                      – CBHacking
                      Dec 5 at 2:38
















                    mIRC is an Internet Relay Chat program. It can run in user mode. But it has a built in DDE Server, that when initialized runs in SYSTEM. If you know how to start/call this server, you can make an administrator privileged CMD.exe console appear. From then on, you can do whatever you like.
                    – Federico
                    Dec 5 at 1:26




                    mIRC is an Internet Relay Chat program. It can run in user mode. But it has a built in DDE Server, that when initialized runs in SYSTEM. If you know how to start/call this server, you can make an administrator privileged CMD.exe console appear. From then on, you can do whatever you like.
                    – Federico
                    Dec 5 at 1:26












                    Would there be a way to block elevated command prompt without blocking it entirely?
                    – Leo Wilson
                    Dec 5 at 1:35






                    Would there be a way to block elevated command prompt without blocking it entirely?
                    – Leo Wilson
                    Dec 5 at 1:35






                    1




                    1




                    You can't install a service, or launch a process as SYSTEM, without already having elevated permissions at some point. Downloading the mIRC installer doesn't mean you can run it, and if you do run it without Admin privileges, it won't be able to install an elevated server. Also, none of this has anything to do with CMD; you could do it without any shell process being available at all.
                    – CBHacking
                    Dec 5 at 1:40




                    You can't install a service, or launch a process as SYSTEM, without already having elevated permissions at some point. Downloading the mIRC installer doesn't mean you can run it, and if you do run it without Admin privileges, it won't be able to install an elevated server. Also, none of this has anything to do with CMD; you could do it without any shell process being available at all.
                    – CBHacking
                    Dec 5 at 1:40












                    try it yourself. /ddeserver on mIRC
                    – Federico
                    Dec 5 at 1:48




                    try it yourself. /ddeserver on mIRC
                    – Federico
                    Dec 5 at 1:48




                    3




                    3




                    The mIRC installer requires admin privileges, so that's a "problem" by itself for this "answer". Just for you, I went and installed it anyhow. Turning on the DDEserver (which just means "a window in this process listens for inter-process messages" doesn't launch any new processes, as SYSTEM or otherwise. Nor does the command you gave launch a privileged process. If you think it does, go ask another question about how it does that (and be prepared to provide functional repro steps).
                    – CBHacking
                    Dec 5 at 2:38




                    The mIRC installer requires admin privileges, so that's a "problem" by itself for this "answer". Just for you, I went and installed it anyhow. Turning on the DDEserver (which just means "a window in this process listens for inter-process messages" doesn't launch any new processes, as SYSTEM or otherwise. Nor does the command you gave launch a privileged process. If you think it does, go ask another question about how it does that (and be prepared to provide functional repro steps).
                    – CBHacking
                    Dec 5 at 2:38


















                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Information Security Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199108%2fwhat-can-someone-do-with-non-admin-command-prompt-on-a-network%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror

                    Mangá

                    Eduardo VII do Reino Unido