Methods, systems, and devices detect and block execution of malicious shell commands requested by a software application. Various embodiments may include receiving a request from a software application to execute a shell command and simulating execution of the shell command to produce execution behavior information. The computing device may analyze system activities to produce execution context information and generate an execution behavior vector based, at least in part, on the execution behavior information and the execution context information. The computing device may use a behavior classifier model to determine whether the shell command is malicious. In response to determining that the shell command is malicious, the computing device may block execution of the shell command.