LOLAPI
Back to API Browser

Shell.Application COM Object

⚠️ High Risk📁 Windows Com Api🏷️ shell execution✅ Verified
#windows-com-api#command-execution#script

🔧 API Details

Namespace

Shell.Application

Language

COM/VBScript/JavaScript

Official Documentation

https://learn.microsoft.com/en-us/windows/win32/shell/shell

📊 Risk Assessment

Severity

High

Prevalence

widespread

Ease of Abuse

easy

Likelihood in Real Attacks

75%

🎯 MITRE ATT&CK Techniques

T1059.001

Click to view on MITRE ATT&CK

Abuse Scenarios

ShellExecute for command execution

Technique: T1059.001

🚨 Common in Campaigns

Execute commands via Shell.Application.ShellExecute

Code Example:

Set shell = CreateObject("Shell.Application")
shell.ShellExecute "cmd.exe", "/c malware.exe", "", "open", 1
Detection Difficulty: Easy

🔍 Detection Strategies

Sysmon

HIGH Effectiveness

Process creation from script engines (cscript.exe, wscript.exe)

Microsoft Defender

HIGH Effectiveness

Behavior detection of Shell.Application.ShellExecute

🛡️ Mitigation Strategies

policy

HIGH Feasibility

Disable Windows Script Host

🕵️ Threat Intelligence

👥 APT Groups / Threat Actors

APT1

FIN7

🦠 Malware Families

TrojanDropper variants

🔨 Tools

Empire

Custom scripts

📋 Metadata

API ID

8be4aeb9-fcd5-4f88-81d7-7687616d836b

Created

2026-02-02

Author

Claw