T1059.003

Windows Command Shell

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd.exe) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH. Batch files (.bat or .cmd) also provide the shell with a list of sequential commands to run. Adversaries may leverage cmd.exe to execute various commands and payloads, including single commands, interactive shells with C2 forwarding, and batch file execution.

Microsoft Sentinel / Defender

kusto

let SuspiciousPatterns = dynamic([
  "certutil -urlcache", "certutil -decode", "certutil -encode",
  "bitsadmin /transfer", "bitsadmin /create",
  "reg add", "reg delete", "reg save",
  "schtasks /create", "schtasks /change",
  "net user /add", "net localgroup administrators",
  "wmic process call create", "wmic shadowcopy delete",
  "vssadmin delete shadows", "bcdedit /set",
  "icacls /grant", "takeown /f",
  "echo | set /p=", "for /f",
  "ping -n 1 -w", "> \\\\pipe\\"
]);
let SuspiciousParents = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "cmd.exe"
| where ProcessCommandLine has_any (SuspiciousPatterns) or InitiatingProcessFileName has_any (SuspiciousParents)
| extend CertutilAbuse = ProcessCommandLine has_any ("certutil -urlcache", "certutil -decode")
| extend ScheduledTask = ProcessCommandLine has "schtasks /create"
| extend UserCreation = ProcessCommandLine has "net user /add"
| extend ShadowDelete = ProcessCommandLine has_any ("vssadmin delete shadows", "wmic shadowcopy delete")
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         CertutilAbuse, ScheduledTask, UserCreation, ShadowDelete, SuspiciousParent
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

System administrators using cmd.exe with certutil for legitimate certificate operations
Deployment scripts that create scheduled tasks for software installation or patching
Backup solutions that interact with VSS shadow copies during backup operations
IT automation tools using batch files for endpoint configuration

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.name : "cmd.exe" and
  (
    process.command_line : (
      "*certutil*-urlcache*", "*certutil*-decode*", "*certutil*-encode*",
      "*bitsadmin*/transfer*", "*bitsadmin*/create*",
      "*reg*add*", "*reg*delete*", "*reg*save*",
      "*schtasks*/create*", "*schtasks*/change*",
      "*net*user*/add*", "*net*localgroup*administrators*",
      "*wmic*process*call*create*", "*wmic*shadowcopy*delete*",
      "*vssadmin*delete*shadows*", "*bcdedit*/set*",
      "*icacls*/grant*", "*takeown*/f*"
    ) or
    process.parent.name : (
      "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
      "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe"
    )
  )
| eval certutil_abuse = process.command_line like~ "*certutil*-urlcache*" or process.command_line like~ "*certutil*-decode*"
| eval shadow_delete = process.command_line like~ "*vssadmin*delete*shadows*" or process.command_line like~ "*wmic*shadowcopy*delete*"
| eval sched_task = process.command_line like~ "*schtasks*/create*"
| eval user_creation = process.command_line like~ "*net*user*/add*"
| eval suspicious_parent = process.parent.name in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe")

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Windows Security Event Log via Filebeat

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-windows.*

False Positives

IT administrators running certutil.exe for legitimate SSL/TLS certificate import or export operations via cmd.exe wrappers
Software deployment tools (SCCM, PDQ Deploy, Ansible) executing cmd.exe batch scripts that invoke schtasks, net user, or reg commands during provisioning
Security and vulnerability scanners (Tenable, Rapid7) spawning cmd.exe sub-processes with administrative commands as part of credentialed audits
Developer workstations running build scripts (MSBuild, Makefile targets) that invoke cmd.exe with reg or icacls to set permissions on build artifacts

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  username AS "Username",
  "Computer Name" AS "Hostname",
  QIDNAME(qid) AS "Event Name",
  "Process Image" AS "Process",
  LOWER("Command Line") AS "Command Line",
  "Parent Image" AS "Parent Process",
  CASE WHEN LOWER("Command Line") LIKE '%certutil%-urlcache%'
            OR LOWER("Command Line") LIKE '%certutil%-decode%'
            OR LOWER("Command Line") LIKE '%certutil%-encode%'
       THEN 1 ELSE 0 END AS "CertutilAbuse",
  CASE WHEN LOWER("Command Line") LIKE '%schtasks%/create%' THEN 1 ELSE 0 END AS "ScheduledTask",
  CASE WHEN LOWER("Command Line") LIKE '%net user%/add%'
            OR LOWER("Command Line") LIKE '%net localgroup%administrators%'
       THEN 1 ELSE 0 END AS "UserOrGroupManip",
  CASE WHEN LOWER("Command Line") LIKE '%vssadmin%delete%shadows%'
            OR LOWER("Command Line") LIKE '%wmic%shadowcopy%delete%'
       THEN 1 ELSE 0 END AS "ShadowDelete",
  CASE WHEN LOWER("Command Line") LIKE '%bcdedit%/set%' THEN 1 ELSE 0 END AS "BCDEdit",
  CASE WHEN LOWER("Parent Image") LIKE '%winword.exe'
            OR LOWER("Parent Image") LIKE '%excel.exe'
            OR LOWER("Parent Image") LIKE '%powerpnt.exe'
            OR LOWER("Parent Image") LIKE '%outlook.exe'
            OR LOWER("Parent Image") LIKE '%mshta.exe'
            OR LOWER("Parent Image") LIKE '%wscript.exe'
            OR LOWER("Parent Image") LIKE '%cscript.exe'
            OR LOWER("Parent Image") LIKE '%rundll32.exe'
            OR LOWER("Parent Image") LIKE '%regsvr32.exe'
       THEN 1 ELSE 0 END AS "SuspiciousParent"
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 352)
  AND (
    ("Event ID" = 1 OR "Event ID" = 4688)
    AND LOWER("Process Image") LIKE '%\\cmd.exe'
  )
  AND (
    LOWER("Command Line") LIKE '%certutil%-urlcache%'
    OR LOWER("Command Line") LIKE '%certutil%-decode%'
    OR LOWER("Command Line") LIKE '%certutil%-encode%'
    OR LOWER("Command Line") LIKE '%bitsadmin%/transfer%'
    OR LOWER("Command Line") LIKE '%bitsadmin%/create%'
    OR LOWER("Command Line") LIKE '%schtasks%/create%'
    OR LOWER("Command Line") LIKE '%schtasks%/change%'
    OR LOWER("Command Line") LIKE '%net user%/add%'
    OR LOWER("Command Line") LIKE '%net localgroup%administrators%'
    OR LOWER("Command Line") LIKE '%wmic%process%call%create%'
    OR LOWER("Command Line") LIKE '%wmic%shadowcopy%delete%'
    OR LOWER("Command Line") LIKE '%vssadmin%delete%shadows%'
    OR LOWER("Command Line") LIKE '%bcdedit%/set%'
    OR LOWER("Command Line") LIKE '%icacls%/grant%'
    OR LOWER("Command Line") LIKE '%takeown%/f%'
    OR LOWER("Parent Image") LIKE '%winword.exe'
    OR LOWER("Parent Image") LIKE '%excel.exe'
    OR LOWER("Parent Image") LIKE '%powerpnt.exe'
    OR LOWER("Parent Image") LIKE '%outlook.exe'
    OR LOWER("Parent Image") LIKE '%mshta.exe'
    OR LOWER("Parent Image") LIKE '%wscript.exe'
    OR LOWER("Parent Image") LIKE '%cscript.exe'
    OR LOWER("Parent Image") LIKE '%rundll32.exe'
    OR LOWER("Parent Image") LIKE '%regsvr32.exe'
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity high confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Sysmon (QRadar DSM) Windows Security Event Log (QRadar DSM)

Required Tables

events

False Positives

Endpoint management agents (BigFix, Tanium) executing cmd.exe scripts with reg, schtasks, or icacls commands as part of patch compliance remediation
Backup software (Veeam, Acronis) invoking vssadmin or wmic commands through wrapper batch files to manage VSS snapshots during backup cycles
Microsoft Office macros in approved enterprise templates that legitimately shell out to cmd.exe for file operations or printer configuration

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*wineventlog*
| where EventCode=1 OR EventID=1
| parse regex field=_raw "(?i)Image(?:FileName)?[:\s]+(?<Image>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)CommandLine[:\s]+(?<CommandLine>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)ParentImage[:\s]+(?<ParentImage>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)User[:\s]+(?<User>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)(?:Computer|Hostname)[:\s]+(?<Computer>[^\r\n]+)" nodrop
| where Image matches "*\\cmd.exe"
| toLowerCase CommandLine as CommandLineLower
| eval CertutilAbuse = if(CommandLineLower matches "*certutil*-urlcache*" OR CommandLineLower matches "*certutil*-decode*" OR CommandLineLower matches "*certutil*-encode*", 1, 0)
| eval ScheduledTask = if(CommandLineLower matches "*schtasks*/create*" OR CommandLineLower matches "*schtasks*/change*", 1, 0)
| eval UserCreation = if(CommandLineLower matches "*net user*/add*" OR CommandLineLower matches "*net localgroup*administrators*", 1, 0)
| eval ShadowDelete = if(CommandLineLower matches "*vssadmin*delete*shadows*" OR CommandLineLower matches "*wmic*shadowcopy*delete*", 1, 0)
| eval BCDEdit = if(CommandLineLower matches "*bcdedit*/set*", 1, 0)
| eval BitsAdminAbuse = if(CommandLineLower matches "*bitsadmin*/transfer*" OR CommandLineLower matches "*bitsadmin*/create*", 1, 0)
| eval SuspiciousParent = if(ParentImage matches "*winword.exe" OR ParentImage matches "*excel.exe" OR ParentImage matches "*powerpnt.exe" OR ParentImage matches "*outlook.exe" OR ParentImage matches "*mshta.exe" OR ParentImage matches "*wscript.exe" OR ParentImage matches "*cscript.exe" OR ParentImage matches "*rundll32.exe" OR ParentImage matches "*regsvr32.exe", 1, 0)
| eval SuspicionScore = CertutilAbuse + ScheduledTask + UserCreation + ShadowDelete + BCDEdit + BitsAdminAbuse + SuspiciousParent
| where SuspicionScore > 0
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, CertutilAbuse, ScheduledTask, UserCreation, ShadowDelete, BCDEdit, BitsAdminAbuse, SuspiciousParent, SuspicionScore
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sysmon via Sumo Logic Windows Event Log Source Windows Security Event Log via Sumo Logic Cloud Syslog

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*wineventlog*

False Positives

Automated deployment pipelines (Jenkins, GitHub Actions self-hosted runners) invoking cmd.exe with certutil for certificate thumbprint verification or base64 decoding of build secrets
Windows Server scheduled tasks created by DBA tooling that use cmd.exe wrappers around SQL Server management scripts with schtasks and reg commands
Antivirus or EDR remediation scripts that spawn cmd.exe to invoke icacls or takeown when quarantining files or repairing permissions after malware removal

Google Chronicle / SecOps

yaral

rule t1059_003_windows_cmd_shell_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1059.003 Windows Command Shell abuse — suspicious cmd.exe executions using certutil, bitsadmin, schtasks, net user, wmic/vssadmin shadow deletion, bcdedit, or cmd.exe spawned from Office or script-interpreter parents."
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.003"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1059/003/"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2024-01-01"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)\\cmd\.exe$`) or
      $e.target.process.file.basename = "cmd.exe"
    )
    (
      re.regex($e.target.process.command_line,
        `(?i)(certutil\s+(-urlcache|-decode|-encode)|bitsadmin\s+(/transfer|/create)|reg\s+(add|delete|save)\s|schtasks\s+(/create|/change)|net\s+user\s+.*\s*/add|net\s+localgroup\s+administrators|wmic\s+(process\s+call\s+create|shadowcopy\s+delete)|vssadmin\s+delete\s+shadows|bcdedit\s+/set|icacls\s+/grant|takeown\s+/f|echo\s+\|\s+set\s+/p=|>\s*\\\\pipe\\)`) or
      re.regex($e.principal.process.file.full_path,
        `(?i)(winword|excel|powerpnt|outlook|mshta|wscript|cscript|rundll32|regsvr32)\.exe$`)
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if(re.regex($e.target.process.command_line, `(?i)certutil\s+(-urlcache|-decode)`), 30, 0) +
      if(re.regex($e.target.process.command_line, `(?i)vssadmin\s+delete\s+shadows|wmic\s+shadowcopy\s+delete`), 40, 0) +
      if(re.regex($e.target.process.command_line, `(?i)schtasks\s+/create`), 20, 0) +
      if(re.regex($e.target.process.command_line, `(?i)net\s+user\s+.*\s*/add`), 25, 0) +
      if(re.regex($e.target.process.command_line, `(?i)bcdedit\s+/set`), 35, 0) +
      if(re.regex($e.principal.process.file.full_path, `(?i)(mshta|wscript|cscript|rundll32|regsvr32)\.exe$`), 40, 0) +
      if(re.regex($e.principal.process.file.full_path, `(?i)(winword|excel|powerpnt|outlook)\.exe$`), 50, 0)
    )
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path

  condition:
    $e and $risk_score > 0
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Endpoint via Chronicle Forwarder Sysmon via Chronicle Windows Event Log ingestion

Required Tables

UDM Events (PROCESS_LAUNCH type)

False Positives

Enterprise certificate lifecycle management tools that invoke certutil via cmd.exe for certificate enrollment, renewal, or CRL verification on managed endpoints
Legitimate system imaging and backup solutions using vssadmin or wmic through batch wrappers to manage snapshot lifecycles during scheduled maintenance windows
Group Policy-based login scripts distributed via Active Directory that spawn cmd.exe from winlogon to configure user environments using reg, net, or schtasks

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| ImageFileName = /\\cmd\.exe$/i
| CommandLine != null
| eval CertutilAbuse = if(CommandLine = /(?i)certutil\s+(-urlcache|-decode|-encode)/, "1", "0")
| eval ScheduledTask = if(CommandLine = /(?i)schtasks\s+(\/create|\/change)/, "1", "0")
| eval UserCreation = if(CommandLine = /(?i)(net\s+user\s+.+\/add|net\s+localgroup\s+administrators)/, "1", "0")
| eval ShadowDelete = if(CommandLine = /(?i)(vssadmin\s+delete\s+shadows|wmic\s+shadowcopy\s+delete)/, "1", "0")
| eval BCDEdit = if(CommandLine = /(?i)bcdedit\s+\/set/, "1", "0")
| eval BitsAdminAbuse = if(CommandLine = /(?i)bitsadmin\s+(\/transfer|\/create)/, "1", "0")
| eval SuspiciousParent = if(ParentBaseFileName = /(?i)(winword|excel|powerpnt|outlook|mshta|wscript|cscript|rundll32|regsvr32)\.exe$/, "1", "0")
| eval SuspicionScore = toint(CertutilAbuse) + toint(ScheduledTask) + toint(UserCreation) + toint(ShadowDelete) + toint(BCDEdit) + toint(BitsAdminAbuse) + toint(SuspiciousParent)
| SuspicionScore > 0
| eval Severity = case(
    SuspicionScore >= 4, "Critical",
    SuspicionScore >= 2, "High",
    SuspicionScore >= 1, "Medium"
  )
| table([@timestamp, ComputerName, UserName, CommandLine, ParentBaseFileName, CertutilAbuse, ScheduledTask, UserCreation, ShadowDelete, BCDEdit, BitsAdminAbuse, SuspiciousParent, SuspicionScore, Severity])
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon ProcessRollup2 events via Humio/LogScale

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Falcon sensor updates or CrowdStrike remediation scripts that invoke cmd.exe with icacls or reg commands to repair quarantined file permissions or registry keys
RMM tools (ConnectWise, NinjaRMM, Datto) executing remote PowerShell-to-cmd.exe call chains for patch deployment, software installation, or device configuration changes
SQL Server or IIS maintenance tasks using agent jobs that shell out to cmd.exe with schtasks or net commands to manage service accounts or scheduled jobs

Last updated: 2026-04-16 Research depth: deep

References (6)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1059.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Windows Command Shell

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections