Last reviewed:
T1059 is the abuse of command interpreters to execute attacker code: the technique behind PowerShell-driven ransomware and cloud-instance compromise via SSM, runtime exec, or container shells. DCV's strongest signal here is GCP SCC's REVERSE_SHELL finding, paired with GuardDuty's runtime SuspiciousCommand. The remediation template covers SSM signed-execution enforcement and Azure Application Control as the preventive baseline. T1059 detection is the difference between catching post-exploitation early and reading about it in a forensic report.
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.
Platforms: Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows.
DCV maps 18 detections across 3 cloud providers to T1059. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Security Hub | AWS | 5 | 0.78 |
| AWS Inspector | AWS | 3 | 0.82 |
| AWS GuardDuty | AWS | 2 | 0.82 |
| Azure Policy | Azure | 2 | 0.85 |
| Azure Regulatory Compliance | Azure | 2 | 0.85 |
| Microsoft Defender for Cloud | Azure | 2 | 0.85 |
| GCP Chronicle | GCP | 1 | 0.90 |
| GCP Security Command Center | GCP | 1 | 0.90 |
CloudSigma ships 18 production-ready Sigma rules that detect T1059 across 6 platforms. Every rule below is validated against its source SIEM dialect before publication.
title: Windows Command Interpreter Spawned by Web or Scripting Runtime
id: e95ab3af-fd83-4438-ad41-47eaa0f90998
status: test
description: >
Detects a Windows command interpreter (cmd.exe, powershell.exe,
cscript.exe, wscript.exe) being spawned as a child of a web or
scripting runtime that is commonly seen in webshell and
download-cradle activity (curl.exe, wget.exe, php.exe,
perl.exe, ruby.exe, python.exe). Earlier versions of this rule
OR-ed in a broad CommandLine match (*cmd /c*, *powershell -c*)
that fired on essentially every legitimate Windows scripted
command — that branch is removed here. java.exe, node.exe and
npm.exe are also dropped from the parent list because build
tooling on developer hosts spawns cmd.exe routinely.
author: CloudSigma
date: 2026-04-24
references:
- https://attack.mitre.org/techniques/T1059/
- https://attack.mitre.org/techniques/T1505/003/
tags:
- attack.execution
- attack.t1059
logsource:
product: windows
service: sysmon
detection:
selection_cmd_spawn:
EventID: 1
Image|endswith:
- \cmd.exe
- \powershell.exe
- \cscript.exe
- \wscript.exe
selection_suspicious_parents:
ParentImage|endswith:
- \curl.exe
- \wget.exe
- \perl.exe
- \ruby.exe
- \php.exe
- \python.exe
- \w3wp.exe
- \httpd.exe
filter_legitimate_system:
User|contains:
- SYSTEM
- LOCAL SERVICE
- NETWORK SERVICE
condition: selection_cmd_spawn and selection_suspicious_parents and not filter_legitimate_system
falsepositives:
- Python or curl-based deployment automation on jump hosts that intentionally invokes PowerShell
- Legitimate ETL or backup scripts running under a service account that wraps a PowerShell pipeline
- Webserver process (w3wp, httpd) launching a child shell as part of a documented administrative workflow
fields:
- Image
- ParentImage
- CommandLine
- User
- Computer
level: high
T1059 is the abuse of command interpreters to execute attacker code: the technique behind PowerShell-driven ransomware and cloud-instance compromise via SSM, runtime exec, or container shells. DCV's strongest signal here is GCP SCC's REVERSE_SHELL finding, paired with GuardDuty's runtime SuspiciousCommand. The remediation template covers SSM signed-execution enforcement and Azure Application Control as the preventive baseline. T1059 detection is the difference between catching post-exploitation early and reading about it in a forensic report.
DCV maps 18 cloud-native detections to T1059 across 3 cloud providers, drawn from AWS GuardDuty, AWS Inspector, AWS Security Hub, Azure Policy, Azure Regulatory Compliance, GCP Chronicle, GCP Security Command Center and Microsoft Defender for Cloud.
T1059 is part of MITRE ATT&CK TA0002 Execution: How adversaries run their code once inside.
CloudSigma ships 6 validated Sigma rules for T1059 across AWS CloudTrail, Azure Activity, GCP Audit Logs, Kubernetes Audit, Linux auditd and Windows Sysmon. Each rule is validated against its source SIEM dialect before publication.