T1059.003 — Windows Command Shell

Technique

T1059.003

Tactics

Execution

MISP citations

0

KEV CVEs mapped

6

Community rules

45

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1059/003

MITRE description

Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows) Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems. Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2025-49706
• CVE-2025-49704
• CVE-2023-42793
• CVE-2023-27532
• CVE-2021-40449
• CVE-2021-22899

Detection coverage

SigmaHQ community rules

• ZxShell Malware (emerging-threats)
• Elise Backdoor Activity (emerging-threats)
• Sofacy Trojan Loader Activity (emerging-threats)
• Exploiting SetupComplete.cmd CVE-2019-1378 (emerging-threats)
• Potential Baby Shark Malware Activity (emerging-threats)
• Exploited CVE-2020-10189 Zoho ManageEngine (emerging-threats)
• Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE (emerging-threats)
• Rorschach Ransomware Execution Activity (emerging-threats)
• Potential APT FIN7 Exploitation Activity (emerging-threats)
• Suspicious Process Spawned by CentreStack Portal AppPool (emerging-threats)
• Suspicious CrushFTP Child Process (emerging-threats)
• Potential SAP NetWeaver Webshell Creation - Linux (emerging-threats)
• Potential SAP NetWeaver Webshell Creation (emerging-threats)
• Suspicious Child Process of SAP NetWeaver - Linux (emerging-threats)
• Suspicious Child Process of SAP NetWeaver (emerging-threats)
• Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) (emerging-threats)
• Axios NPM Compromise Indicators - Windows (emerging-threats)
• Headless Process Launched Via Conhost.EXE (threat-hunting)
• AWS EC2 Startup Shell Script Change (core)
• Remote Access Tool - ScreenConnect Command Execution (core)
• Remote Access Tool - ScreenConnect File Transfer (core)
• AppLocker Prevented Application or Script from Running (core)
• DNS Query by Finger Utility (core)
• Remote Access Tool - ScreenConnect Temporary File (core)
• Network Connection Initiated via Finger.EXE (core)

Showing 25 of 45 community rules — the full set is tagged attack.t1059.003 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.