1. Home
  2. ATT&CK Techniques
  3. T1059.003 Windows Command Shell

T1059.003 Windows Command Shell

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.(Citation: SSH in Windows)

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-06 Configuration Settings mitigates T1059.003 Windows Command Shell
AC-17 Remote Access mitigates T1059.003 Windows Command Shell
SI-16 Memory Protection mitigates T1059.003 Windows Command Shell
SI-10 Information Input Validation mitigates T1059.003 Windows Command Shell
SI-03 Malicious Code Protection mitigates T1059.003 Windows Command Shell
SI-07 Software, Firmware, and Information Integrity mitigates T1059.003 Windows Command Shell
CM-02 Baseline Configuration mitigates T1059.003 Windows Command Shell
SI-04 System Monitoring mitigates T1059.003 Windows Command Shell
AC-02 Account Management mitigates T1059.003 Windows Command Shell
AC-03 Access Enforcement mitigates T1059.003 Windows Command Shell
AC-06 Least Privilege mitigates T1059.003 Windows Command Shell

Known Exploited Vulnerabilities Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2021-40449 Microsoft Windows Win32k Privilege Escalation Vulnerability secondary_impact T1059.003 Windows Command Shell
Comments
This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.
References
  1. https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/
  2. https://www.darkreading.com/vulnerabilities-threats/microsoft-october-patch-update-includes-fix-for-0-day-flaw-in-win32-driver
  3. https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-40449
CVE-2021-22899 Ivanti Pulse Connect Secure Command Injection Vulnerability primary_impact T1059.003 Windows Command Shell
Comments
This vulnerability is exploited through a command injection weakness. Remote authenticated attackers leverage this vulnerability to perform arbitrary code execution on the target system via the Windows Resource Profiles Feature.
References
  1. https://www.clouddefense.ai/cve/2021/CVE-2021-22899
  2. https://forums.ivanti.com/s/article/SA44784?language=en_US
CVE-2023-42793 JetBrains TeamCity Authentication Bypass Vulnerability primary_impact T1059.003 Windows Command Shell
Comments
This vulnerability is exploited through an authentication bypass in JetBrains TeamCity, allowing remote attackers with HTTP(S) access to perform unauthorized remote code execution. This vulnerability enables attackers to gain administrative control of the TeamCity server and execute cmd.exe for various malicious activities, including downloading and executing harmful files.
References
  1. http://packetstormsecurity.com/files/174860/JetBrains-TeamCity-Unauthenticated-Remote-Code-Execution.html
  2. https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793
CVE-2025-49706 Microsoft SharePoint Improper Authentication Vulnerability secondary_impact T1059.003 Windows Command Shell
Comments
This improper authentication vulnerability in Microsoft SharePoint allows an attacker to send unauthenticated HTTP POST requests to the endpoint, which SharePoint will trust the request if constructed correctly. This gives the attacker access to the APIs despite the lack of credentials, as well as the ability to impersonate users and abuse native functionality.
References
  1. https://fidelissecurity.com/vulnerabilities/cve-2025-49706/
CVE-2025-49704 Microsoft SharePoint Code Injection Vulnerability primary_impact T1059.003 Windows Command Shell
Comments
When chained with CVE-2025-49706, this vulnerability allows for an attacker to send a malicious __VIEWSTATE object to the same endpoint that the POST requests were sent to. This exploits a code injection flaw and allows for code execution.
References
  1. https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
CVE-2023-27532 Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability primary_impact T1059.003 Windows Command Shell
Comments
CVE-2023-27532 is a vulnerability in their backup & replication servers exposed online which allows unauthenticated users to request encrypted credentials. Public reporting has indicated that various ransomware groups have exploited vulnerability to gain access and crash the backup infrastructure hosts, extract stored encrypted credentials, and deploy additional tools.
References
  1. https://www.theregister.com/2024/07/11/estate_ransomware_veeam_bug/
  2. https://www.securityweek.com/year-old-veeam-vulnerability-exploited-in-fresh-ransomware-attacks/
  3. https://www.group-ib.com/blog/estate-ransomware/

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.003 Windows Command Shell
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1059.003 Windows Command Shell

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
microsoft_sentinel Microsoft Sentinel technique_scores T1059.003 Windows Command Shell
Comments
The Microsoft Sentinel Hunting "Cscript script daily summary breakdown" can detect potentially malicious scripting. The Microsoft Sentinel Hunting "Hosts running a rare process with commandline" query can identify uncommon command shell usage that may be malicious. The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which has modules for executing Windows Command Shell scripts. The Microsoft Sentinel Analytics "Base64 encoded Windows process command-lines" query can identify Base64 encoded PE files being launched via the command line.
References
  1. https://learn.microsoft.com/en-us/azure/sentinel/overview
  2. https://learn.microsoft.com/en-us/azure/sentinel/hunting
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1059.003 Windows Command Shell
Comments
This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: "Detected anomalous mix of upper and lower case characters in command-line", "Detected encoded executable in command line data", "Detected obfuscated command line", "Detected suspicious combination of HTA and PowerShell", "Detected suspicious commandline arguments", "Detected suspicious commandline used to start all executables in a directory", "Detected suspicious credentials in commandline", "Dynamic PS script construction", "Suspicious PowerShell Activity Detected", "Suspicious PowerShell cmdlets executed", "Suspicious command execution".
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1059.003 Windows Command Shell
Comments
Google Security Ops is able to trigger an alert based on suspicious behavior seen in the Windows command line. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']