MITRE ATT&CK / T1059
T1059
Command and Scripting Interpreter
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Sof…
Platforms
Mitigations
- M1033 — Limit Software Installation
- M1045 — Code Signing
- M1042 — Disable or Remove Feature or Program
- M1038 — Execution Prevention
- M1049 — Antivirus/Antimalware
- M1026 — Privileged Account Management
- M1047 — Audit
- M1021 — Restrict Web-Based Content
- M1040 — Behavior Prevention on Endpoint
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- Ghostwriter Deploys Prometheus Phishing Lures Against Ukraine Government Entities
- Twelve Critical vm2 Node.js Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
- Attackers Abuse Bun JavaScript Runtime to Spread NWHStealer Infostealer
- ClaudeBleed: Claude Chrome Extension Flaw Lets Attackers Steal Gmail and GitHub Data
- ACSC Warns: ClickFix Campaign Delivers Vidar Stealer via Compromised Australian WordPress Sites
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →