T1059.003 IBM QRadar · QRadar

Detect Windows Command Shell in IBM QRadar

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd.exe) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH. Batch files (.bat or .cmd) also provide the shell with a list of sequential commands to run. Adversaries may leverage cmd.exe to execute various commands and payloads, including single commands, interactive shells with C2 forwarding, and batch file execution.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.003 Windows Command Shell
Canonical reference
https://attack.mitre.org/techniques/T1059/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  username AS "Username",
  "Computer Name" AS "Hostname",
  QIDNAME(qid) AS "Event Name",
  "Process Image" AS "Process",
  LOWER("Command Line") AS "Command Line",
  "Parent Image" AS "Parent Process",
  CASE WHEN LOWER("Command Line") LIKE '%certutil%-urlcache%'
            OR LOWER("Command Line") LIKE '%certutil%-decode%'
            OR LOWER("Command Line") LIKE '%certutil%-encode%'
       THEN 1 ELSE 0 END AS "CertutilAbuse",
  CASE WHEN LOWER("Command Line") LIKE '%schtasks%/create%' THEN 1 ELSE 0 END AS "ScheduledTask",
  CASE WHEN LOWER("Command Line") LIKE '%net user%/add%'
            OR LOWER("Command Line") LIKE '%net localgroup%administrators%'
       THEN 1 ELSE 0 END AS "UserOrGroupManip",
  CASE WHEN LOWER("Command Line") LIKE '%vssadmin%delete%shadows%'
            OR LOWER("Command Line") LIKE '%wmic%shadowcopy%delete%'
       THEN 1 ELSE 0 END AS "ShadowDelete",
  CASE WHEN LOWER("Command Line") LIKE '%bcdedit%/set%' THEN 1 ELSE 0 END AS "BCDEdit",
  CASE WHEN LOWER("Parent Image") LIKE '%winword.exe'
            OR LOWER("Parent Image") LIKE '%excel.exe'
            OR LOWER("Parent Image") LIKE '%powerpnt.exe'
            OR LOWER("Parent Image") LIKE '%outlook.exe'
            OR LOWER("Parent Image") LIKE '%mshta.exe'
            OR LOWER("Parent Image") LIKE '%wscript.exe'
            OR LOWER("Parent Image") LIKE '%cscript.exe'
            OR LOWER("Parent Image") LIKE '%rundll32.exe'
            OR LOWER("Parent Image") LIKE '%regsvr32.exe'
       THEN 1 ELSE 0 END AS "SuspiciousParent"
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 352)
  AND (
    ("Event ID" = 1 OR "Event ID" = 4688)
    AND LOWER("Process Image") LIKE '%\\cmd.exe'
  )
  AND (
    LOWER("Command Line") LIKE '%certutil%-urlcache%'
    OR LOWER("Command Line") LIKE '%certutil%-decode%'
    OR LOWER("Command Line") LIKE '%certutil%-encode%'
    OR LOWER("Command Line") LIKE '%bitsadmin%/transfer%'
    OR LOWER("Command Line") LIKE '%bitsadmin%/create%'
    OR LOWER("Command Line") LIKE '%schtasks%/create%'
    OR LOWER("Command Line") LIKE '%schtasks%/change%'
    OR LOWER("Command Line") LIKE '%net user%/add%'
    OR LOWER("Command Line") LIKE '%net localgroup%administrators%'
    OR LOWER("Command Line") LIKE '%wmic%process%call%create%'
    OR LOWER("Command Line") LIKE '%wmic%shadowcopy%delete%'
    OR LOWER("Command Line") LIKE '%vssadmin%delete%shadows%'
    OR LOWER("Command Line") LIKE '%bcdedit%/set%'
    OR LOWER("Command Line") LIKE '%icacls%/grant%'
    OR LOWER("Command Line") LIKE '%takeown%/f%'
    OR LOWER("Parent Image") LIKE '%winword.exe'
    OR LOWER("Parent Image") LIKE '%excel.exe'
    OR LOWER("Parent Image") LIKE '%powerpnt.exe'
    OR LOWER("Parent Image") LIKE '%outlook.exe'
    OR LOWER("Parent Image") LIKE '%mshta.exe'
    OR LOWER("Parent Image") LIKE '%wscript.exe'
    OR LOWER("Parent Image") LIKE '%cscript.exe'
    OR LOWER("Parent Image") LIKE '%rundll32.exe'
    OR LOWER("Parent Image") LIKE '%regsvr32.exe'
  )
LAST 24 HOURS
ORDER BY starttime DESC
high severity high confidence

QRadar AQL query detecting suspicious cmd.exe execution patterns via Sysmon (EventID 1) and Security audit (EventID 4688) log sources. LOGSOURCETYPEID 12 covers Microsoft Windows Security Event Log; 352 covers Sysmon. Scores each event across six abuse categories and surfaces executions spawned from Office/script-interpreter parents.

Data Sources

IBM QRadar SIEMMicrosoft Windows Sysmon (QRadar DSM)Windows Security Event Log (QRadar DSM)

Required Tables

events

False Positives & Tuning

  • Endpoint management agents (BigFix, Tanium) executing cmd.exe scripts with reg, schtasks, or icacls commands as part of patch compliance remediation
  • Backup software (Veeam, Acronis) invoking vssadmin or wmic commands through wrapper batch files to manage VSS snapshots during backup cycles
  • Microsoft Office macros in approved enterprise templates that legitimately shell out to cmd.exe for file operations or printer configuration
Download portable Sigma rule (.yml)

Other platforms for T1059.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Certutil Download Cradle

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'certutil -urlcache'. Child process event for certutil.exe. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8080.

  2. Test 2Shadow Copy Deletion via cmd.exe

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'vssadmin'. Note: this test uses 'list' instead of 'delete' for safety. In real attacks, 'delete shadows /all /quiet' would be used.

  3. Test 3Scheduled Task Creation via cmd.exe

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe spawning schtasks.exe. Security Event ID 4698: Scheduled Task Created with task name 'df00tech-test'.

  4. Test 4Local Account Creation via cmd.exe

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with 'net user' in CommandLine. Security Event ID 4720: User Account Created. Security Event ID 4732: Member Added to Security-Enabled Local Group.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.001PowerShellT1059.005Visual BasicT1218.011Rundll32T1105Ingress Tool TransferT1490Inhibit System RecoveryT1053.005Scheduled TaskT1136.001Local Account

Same Tactic: Execution

Popular Detections