EXPLORE
Sign In
← Back to Explore
T1059.003

Windows Command Shell

Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/technique...

Windows
79
Detections
3
Sources
71
Threat Actors

BY SOURCE

38elastic27sigma14splunk_escu

PROCEDURES (49)

Process Creation Monitoring10 detections

Auto-extracted: 10 detections for process creation monitoring

Script Execution Monitoring6 detections

Auto-extracted: 6 detections for script execution monitoring

Powershell4 detections

Auto-extracted: 4 detections for powershell

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Service2 detections

Auto-extracted: 2 detections for service

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Powershell2 detections

Auto-extracted: 2 detections for powershell

Phish2 detections

Auto-extracted: 2 detections for phish

Evasion2 detections

Auto-extracted: 2 detections for evasion

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Remote2 detections

Auto-extracted: 2 detections for remote

Child Process2 detections

Auto-extracted: 2 detections for child process

Remote2 detections

Auto-extracted: 2 detections for remote

Download1 detections

Auto-extracted: 1 detections for download

Api1 detections

Auto-extracted: 1 detections for api

Privilege1 detections

Auto-extracted: 1 detections for privilege

Inject1 detections

Auto-extracted: 1 detections for inject

Child Process1 detections

Auto-extracted: 1 detections for child process

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Remote1 detections

Auto-extracted: 1 detections for remote

Lateral1 detections

Auto-extracted: 1 detections for lateral

Child Process1 detections

Auto-extracted: 1 detections for child process

Privilege1 detections

Auto-extracted: 1 detections for privilege

Inject1 detections

Auto-extracted: 1 detections for inject

Lateral1 detections

Auto-extracted: 1 detections for lateral

Api1 detections

Auto-extracted: 1 detections for api

Service1 detections

Auto-extracted: 1 detections for service

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Lateral1 detections

Auto-extracted: 1 detections for lateral

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Startup1 detections

Auto-extracted: 1 detections for startup

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Privilege1 detections

Auto-extracted: 1 detections for privilege

Office1 detections

Auto-extracted: 1 detections for office

Api1 detections

Auto-extracted: 1 detections for api

Startup1 detections

Auto-extracted: 1 detections for startup

Remote1 detections

Auto-extracted: 1 detections for remote

Persist1 detections

Auto-extracted: 1 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Child Process1 detections

Auto-extracted: 1 detections for child process

Powershell1 detections

Auto-extracted: 1 detections for powershell

C21 detections

Auto-extracted: 1 detections for c2

Remote1 detections

Auto-extracted: 1 detections for remote

Download1 detections

Auto-extracted: 1 detections for download

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (71)

admin@338AgriusAPT1APT18APT28APT3APT32APT37APT38APT41APT5Aquatic PandaBlackByteBlue MockingbirdBRONZE BUTLERChimeraCinnamon TempestCobalt GroupContagious InterviewDark CaracalDarkhotelDragonflyFIN10FIN13FIN6FIN7FIN8Fox KittenGALLIUMGamaredon GroupGorgon GroupHAFNIUMHigaisaINC RansomIndrik SpiderKe3changKimsukyLazarus GroupLazyScripterMacheteMagic HoundMedusa GroupmenuPassMetadorMuddyWaterMustang PandaNomadic OctopusOilRigPatchworkPlayRancorRedCurlSaint BearSilenceSowbugStorm-1811SuckflyTA505TA551TA577TeamTNTThreat Group-1314Threat Group-3390ToddyCatTropic TrooperTurlaUNC3886Volt TyphoonWinter VivernWizard SpiderZIRCONIUM

DETECTIONS (79)

AppLocker Prevented Application or Script from Running
sigmamedium
AWS EC2 Startup Shell Script Change
sigmahigh
CMD Carry Out String Command Parameter
splunk_escu
CMD Echo Pipe - Escalation
splunk_escu
Command and Scripting Interpreter via Windows Scripts
elastichigh
Command Execution via SolarWinds Process
elasticmedium
Command Line Execution with Suspicious URL and AppData Strings
sigmamedium
Command Shell Activity Started via RunDLL32
elasticlow
Conhost.exe CommandLine Path Traversal
sigmahigh
CrushFTP Authentication Bypass Exploitation
splunk_escu
Delayed Execution via Ping
elasticlow
Detect Prohibited Applications Spawning cmd exe
splunk_escu
Detect Use of cmd exe to Launch Script Interpreters
splunk_escu
DNS Query by Finger Utility
sigmahigh
Execution from Unusual Directory - Command Line
elasticmedium
Execution of a Downloaded Windows Script
elasticmedium
Execution via GitHub Actions Runner
elasticmedium
Execution via MSSQL xp_cmdshell Stored Procedure
elasticmedium
Execution via OpenClaw Agent
elasticmedium
HackTool - CrackMapExec Execution
sigmahigh
HackTool - CrackMapExec Execution Patterns
sigmahigh
HackTool - Jlaive In-Memory Assembly Execution
sigmamedium
HackTool - Koadic Execution
sigmahigh
HackTool - RedMimicry Winnti Playbook Execution
sigmahigh
HTML Help HH.EXE Suspicious Child Process
sigmahigh
Microsoft Build Engine Started by a Script Process
elasticmedium
Microsoft Exchange Worker Spawning Suspicious Processes
elastichigh
Network Connection Initiated via Finger.EXE
sigmahigh
OpenEDR Spawning Command Shell
sigmamedium
Operator Bloopers Cobalt Strike Commands
sigmahigh
Operator Bloopers Cobalt Strike Modules
sigmahigh
Potential Command Shell via NetCat
elastichigh
Potential CommandLine Path Traversal Via Cmd.EXE
sigmahigh
Potential Execution via FileFix Phishing Attack
elastichigh
Potential Fake CAPTCHA Phishing Attack
elastichigh
Potential SAP NetWeaver Exploitation
elastichigh
Potential SharpRDP Behavior
elastichigh
Powershell Execute Batch Script
sigmamedium
Powershell Executed From Headless ConHost Process
sigmamedium
Process Activity via Compiled HTML File
elasticmedium
Proxy Execution via Console Window Host
elastichigh
PUA - AdvancedRun Execution
sigmamedium
Read Contents From Stdin Via Cmd.EXE
sigmamedium
Remote Access Tool - ScreenConnect Command Execution
sigmalow
Remote Access Tool - ScreenConnect File Transfer
sigmalow
Remote Access Tool - ScreenConnect Remote Command Execution
sigmalow
Remote Access Tool - ScreenConnect Temporary File
sigmalow
Ryuk Wake on LAN Command
splunk_escu
ScreenConnect Server Spawning Suspicious Processes
elastichigh
Service Control Spawned via Script Interpreter
elasticlow
Suspicious Cmd Execution via WMI
elastichigh
Suspicious Command Prompt Network Connection
elasticlow
Suspicious Execution from a Mounted Device
elasticmedium
Suspicious Execution from VS Code Extension
elasticmedium
Suspicious Explorer Child Process
elasticmedium
Suspicious HH.EXE Execution
sigmahigh
Suspicious HWP Sub Processes
sigmahigh
Suspicious JetBrains TeamCity Child Process
elasticmedium
Suspicious Microsoft HTML Application Child Process
elastichigh
Suspicious MS Office Child Process
elasticmedium
Suspicious MS Outlook Child Process
elasticlow
Suspicious React Server Child Process
elastichigh
Suspicious ScreenConnect Client Child Process
elasticmedium
Suspicious Shell Execution via Velociraptor
elasticmedium
Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
elastichigh
Suspicious Usage of For Loop with Recursive Directory Search in CMD
sigmamedium
Suspicious Windows Command Shell Arguments
elastichigh
Suspicious Zoom Child Process
elasticmedium
System Shells via Services
elasticmedium
Web Shell Detection: Script Process Child of Common Web Processes
elastichigh
Windows Command Shell DCRat ForkBomb Payload
splunk_escu
Windows PowerShell FakeCAPTCHA Clipboard Execution
splunk_escu
Windows Powershell History File Deletion
splunk_escu
Windows PowerShell Invoke-Sqlcmd Execution
splunk_escu
Windows Server Update Service Spawning Suspicious Processes
elastichigh
Windows Shell Process from CrushFTP
splunk_escu
Windows SQLCMD Execution
splunk_escu
Windows Suspicious React or Next.js Child Process
splunk_escu
Windows TinyCC Shellcode Execution
splunk_escu