Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Execution/ T1059.003

T1059.003Windows Command Shell

T1059.003 — Windows Command Shell is a MITRE ATT&CK technique in the Execution tactic. Clankerusecase tracks 52 detection use cases covering it and 41 threat-intel articles citing it.

Execution
View on the matrix → Filter Detection Library MITRE official spec ↗
52Use cases
41Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1059 · Command and Scripting Interpreter

Use cases covering this technique (52)

[WEEKLY] Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint Internal exploit · alerting DSPDD [WEEKLY] Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain Internal exploit · alerting DSΣPDD [WEEKLY] Service-process parent spawns subprocess containing CLI-argument-injection tokens Internal exploit · alerting DSΣPDD CMD Carry Out String Command Parameter ESCU actions · hunting P CMD Echo Pipe - Escalation ESCU actions · alerting P Detect Prohibited Applications Spawning cmd exe ESCU actions · hunting P Detect Use of cmd exe to Launch Script Interpreters ESCU actions · hunting P Ryuk Wake on LAN Command ESCU actions · alerting P Windows Command Shell DCRat ForkBomb Payload ESCU actions · alerting P Windows File Association Modification via Ftype ESCU actions · hunting P Windows PowerShell FakeCAPTCHA Clipboard Execution ESCU actions · alerting P Windows Powershell History File Deletion ESCU actions · hunting P Windows PowerShell Invoke-Sqlcmd Execution ESCU actions · hunting P Windows Shell Process from CrushFTP ESCU actions · alerting P Windows SQLCMD Execution ESCU actions · hunting P Windows Suspicious React or Next.js Child Process ESCU actions · alerting P Windows TinyCC Shellcode Execution ESCU actions · alerting P CrushFTP Authentication Bypass Exploitation ESCU actions · alerting P First time seen command line argument ESCU actions · hunting P Potentially malicious code on commandline ESCU actions · hunting P Windows connhost exe started forcefully ESCU actions · alerting P [LLM] splunkd spawning shell interpreters (CVE-2026-20253 post-exploit RCE) Bespoke install · alerting DSΣPDDCS [LLM] AI coding agent (Claude Code / Cursor / Codex) spawning shell that fetch-and-executes remote payload Bespoke install · alerting DSΣPDDCS [LLM] Webserver / PHP interpreter spawns shell or LOLBin — post-upload RCE indicator Bespoke exploit · alerting DSΣPDDCS [LLM] Public-facing MSSQL sqlservr.exe spawns suspicious child (OceanLotus transport-construction intrusion vector) Bespoke exploit · alerting DSΣPDDCS [LLM] FireAnt Metakit updater spawning unexpected child (supply-chain compromise) Bespoke delivery · hunting DSΣPDDCS [LLM] npm install lifecycle script spawns interpreter or network-fetcher child Bespoke install · alerting DSΣPDDCS [LLM] Chrome browser spawning LOLBin children post-V8 sandbox-escape (CVE-2026-11645) Bespoke exploit · hunting DSΣPDDCS [LLM] DbGate node process spawning shell child (post-exploit RCE) Bespoke install · alerting DSΣPDDCS [LLM] Stata binary spawning OS shell (CVE-2026-47708 stata-mcp log_file_name injection) Bespoke exploit · alerting DSΣPDDCS [LLM] Post-exploit shell spawned by Vitest node.exe via rerun / saveTestFile (CVE-2026-47429) Bespoke exploit · alerting DSΣPDDCS [LLM] Node.js process spawning native shell / interpreter — post-vm2-escape host execution Bespoke exploit · alerting DSΣPDDCS [LLM] Node.js process spawning OS shell with enumeration commands — vm2 sandbox escape (CVE-2026-47137) Bespoke exploit · hunting DSΣPDDCS [LLM] node.exe spawning child_process targets — vm2 Promise species sandbox escape post-exploitation Bespoke exploit · alerting DSΣPDDCS [LLM] EchoCreep Discord API beacon from non-browser process (Webworm 2025) Bespoke c2 · hunting DSΣPDDCS [LLM] Kopia process spawns ssh with -oProxyCommand= argument (CVE-2026-45695) Bespoke exploit · alerting DSΣPDDCS [LLM] SSH process spawned by Kopia invokes a shell child (ProxyCommand execution) Bespoke install · alerting DSPDDCS [LLM] GlassFish java process spawning command shell (CVE-2026-2587 RCE) Bespoke exploit · alerting DSΣPDDCS [LLM] Apache Camel JVM spawning shell or command interpreter via camel-exec (CVE-2026-47323 post-exploit) Bespoke install · alerting DSΣPDDCS [LLM] MLflow server process spawning Claude Code CLI or shell — CVE-2026-2611 RCE chain Bespoke exploit · alerting DSΣPDDCS [LLM] Web-server process (w3wp/php/nginx) spawns shell or LOLBin (post-SSTI RCE chain) Bespoke exploit · alerting DSΣPDDCS [LLM] Flowise node.exe Spawning OS Shell or Command-Line Utility - Post-Exploit RCE (CVE-2026-46442) Bespoke exploit · alerting DSΣPDDCS [LLM] Java/Tomcat process spawns OS command interpreter (post-Thymeleaf SSTI RCE) Bespoke actions · alerting DSΣPDDCS [LLM] Force-install of IDE extension via cmd.exe with --install-extension flag spawned by node host Bespoke install · alerting DSΣPDD [LLM] IoliteLabs VSCode extension dropper: VS Code child process reaching rraghh.com / oortt.com C2 Bespoke delivery · alerting DSΣPDD [LLM] VSCode/VSCodium spawning shell or curl to raw.githubusercontent.com/BlokTrooper Bespoke delivery · alerting DSΣPDDCS [LLM] MuddyWater SimpleHelp RMM client spawning shell or recon LOLBin Bespoke install · alerting DSΣP [LLM] APT28 MacroMaze: schtasks creating wscript-launched persistence with 20/30/61-minute repeat Bespoke install · alerting DSΣP [LLM] Node.js process spawning interactive shell — suspected post-exploit RCE on Next.js / RSC server Bespoke exploit · alerting DSΣPDDCS [LLM] SnakeStealer Wi-Fi Credential Harvest via netsh wlan show profile key=clear Bespoke actions · alerting DSΣPDDCS [LLM] Tomcat/Java process spawns OS shell or LOLBin (post-webshell RCE) Bespoke actions · alerting DSΣPDDCS [LLM] .NET build (dotnet/MSBuild) spawns git config to harvest user.email Bespoke actions · hunting DSΣPDDCS

Articles citing this technique (41)

crit Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication art-09
high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code art-28
crit [GHSA / CRITICAL] CVE-2026-48062: CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule art-43
crit OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack art-53
crit OceanLotus: From external espionage to domestic targeting art-54
high GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks art-55
crit Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCE art-62
crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine art-86
crit [GHSA / CRITICAL] CVE-2026-47670: Authenticated Remote Code Execution via loadReader functionName code injection in DbGate art-118
crit [GHSA / CRITICAL] CVE-2026-47708: MCP-for-Stata: Command injection via log_file_name parameter in Stata command wrapper art-122
high Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting art-129
crit [GHSA / CRITICAL] CVE-2026-47429: When Vitest UI server is listening, arbitrary file can be read and executed art-157
crit [GHSA / CRITICAL] CVE-2026-47140: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution art-173
crit [GHSA / CRITICAL] CVE-2026-47137: vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE art-175
crit [GHSA / CRITICAL] CVE-2026-47208: vm2 is Vulnerable to Sandbox Breakout Through Promise Species art-176
crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217
crit Webworm: New burrowing techniques art-240
crit [GHSA / CRITICAL] CVE-2026-45695: Kopia: RCE via SSH ProxyCommand Injection art-252
crit [GHSA / CRITICAL] CVE-2026-2587: GlassFish's gadget handler is vulnerable to RCE art-257
crit [GHSA / CRITICAL] CVE-2026-47323: Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering art-259
crit [GHSA / CRITICAL] CVE-2026-2611: MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local C art-264
crit From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat art-265
crit [GHSA / CRITICAL] CVE-2026-45697: Formie: Pre-authenticated server-side template injection in Hidden fields art-273
crit [GHSA / CRITICAL] CVE-2026-46442: FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape art-304
crit Kimsuky targets organizations with PebbleDash-based tools art-308
crit A rigged game: ScarCruft compromises gaming platform in a supply-chain attack art-332
high Don't Panic: The Thymeleaf Template Injection That Only Hurts If You Let It (CVE-2026-40478) art-349
crit GopherWhisper: A burrow full of malware art-362
crit axios Compromised on npm - Malicious Versions Drop Remote Access Trojan art-401
high GlassWorm goes native: New Zig dropper infects every IDE on your machine art-405
high Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor art-412
crit EDR killers explained: Beyond the drivers art-455
crit fast-draft Open VSX Extension Compromised by BlokTrooper art-459
crit Cyber fallout from the Iran war: What to have on your radar art-474
crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542
crit DynoWiper update: Technical analysis and attribution art-590
crit LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan art-642
high Security Advisory: Critical RCE Vulnerabilities in React Server Components (CVE-2025-55182) art-673
crit SnakeStealer: How it preys on personal data – and how you can protect yourself art-736
crit Krampus delivers an end-of-year Struts vulnerability art-1300
high .NET developers alert: Moq NuGET package exfiltrates user emails from git art-1399