T1059 — Command and Scripting Interpreter

Technique

T1059

Tactics

Execution

MISP citations

0

KEV CVEs mapped

170

Community rules

93

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1059

MITRE description

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005). Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2025-6554
• CVE-2025-6543
• CVE-2025-53770
• CVE-2025-47812
• CVE-2025-4632
• CVE-2025-4428
• CVE-2025-4427
• CVE-2025-42999
• CVE-2025-42599
• CVE-2025-3935
• CVE-2025-3928
• CVE-2025-35939
• CVE-2025-33053
• CVE-2025-32756
• CVE-2025-32709
• CVE-2025-32706
• CVE-2025-32701
• CVE-2025-3248
• CVE-2025-32433
• CVE-2025-31324
• CVE-2025-31201
• CVE-2025-31200
• CVE-2025-31161
• CVE-2025-30406
• CVE-2025-30397
• CVE-2025-27038
• CVE-2025-24985
• CVE-2025-24201
• CVE-2025-24085
• CVE-2025-24016
• CVE-2025-23006
• CVE-2025-22457
• CVE-2025-21590
• CVE-2025-20337
• CVE-2025-20281
• CVE-2025-1976
• CVE-2025-0994
• CVE-2024-6047
• CVE-2024-58136
• CVE-2024-57968
• CVE-2024-57727
• CVE-2024-56145
• CVE-2024-53197
• CVE-2024-53104
• CVE-2024-5217
• CVE-2024-50603
• CVE-2024-4947
• CVE-2024-4885
• CVE-2024-4879
• CVE-2024-4761
• CVE-2024-4671
• CVE-2024-4577
• CVE-2024-45195
• CVE-2024-41710
• CVE-2024-38475
• CVE-2024-34102
• CVE-2024-29059
• CVE-2024-27198
• CVE-2024-26169
• CVE-2024-21887
• CVE-2024-21413
• CVE-2024-20953
• CVE-2024-20399
• CVE-2024-20359
• CVE-2024-12987
• CVE-2024-12686
• CVE-2024-11182
• CVE-2023-7101
• CVE-2023-48788
• CVE-2023-48365
• CVE-2023-43770
• CVE-2023-41179
• CVE-2023-40044
• CVE-2023-38035
• CVE-2023-36851
• CVE-2023-36847
• CVE-2023-36846
• CVE-2023-36845
• CVE-2023-35081
• CVE-2023-34362
• CVE-2023-34192
• CVE-2023-33538
• CVE-2023-33246
• CVE-2023-2868
• CVE-2023-28252
• CVE-2023-27350
• CVE-2023-26359
• CVE-2023-2533
• CVE-2023-22952
• CVE-2023-22515
• CVE-2023-20887
• CVE-2023-20867
• CVE-2023-20273
• CVE-2023-20118
• CVE-2023-20109
• CVE-2022-43939
• CVE-2022-43769
• CVE-2022-42948
• CVE-2022-41125
• CVE-2022-39197
• CVE-2022-37969
• CVE-2022-36804
• CVE-2022-35914
• CVE-2022-35405
• CVE-2022-34713
• CVE-2022-29303
• CVE-2022-26501
• CVE-2022-26500
• CVE-2022-26258
• CVE-2022-24521
• CVE-2022-23748
• CVE-2022-23131
• CVE-2022-22965
• CVE-2022-22947
• CVE-2022-22047
• CVE-2022-21999
• CVE-2022-21971
• CVE-2022-1040
• CVE-2021-45382
• CVE-2021-45046
• CVE-2021-42321
• CVE-2021-42258
• CVE-2021-42237
• CVE-2021-42013
• CVE-2021-41773
• CVE-2021-35464
• CVE-2021-35394
• CVE-2021-3129
• CVE-2021-31166
• CVE-2021-27104
• CVE-2021-27102
• CVE-2021-27101
• CVE-2021-26084
• CVE-2021-22986
• CVE-2021-22900
• CVE-2021-22894
• CVE-2021-22893
• CVE-2021-22205
• CVE-2021-22204
• CVE-2021-22005
• CVE-2021-21972
• CVE-2021-20035
• CVE-2021-1498
• CVE-2021-1497
• CVE-2020-8515
• CVE-2020-5902
• CVE-2020-3580
• CVE-2020-29574
• CVE-2020-29557
• CVE-2020-25506
• CVE-2020-17530
• CVE-2020-15505
• CVE-2020-0787
• CVE-2019-3398
• CVE-2019-19781
• CVE-2019-17558
• CVE-2019-13608
• CVE-2019-11634
• CVE-2019-11580
• CVE-2019-11510
• CVE-2018-7600
• CVE-2018-6789
• CVE-2018-11776
• CVE-2017-9822
• CVE-2017-9805
• CVE-2017-6742
• CVE-2017-5638
• CVE-2017-11882
• CVE-2016-4437
• CVE-2010-2883

Detection coverage

SigmaHQ community rules

• Turla Group Lateral Movement (emerging-threats)
• Lazarus Group Activity (emerging-threats)
• Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt (emerging-threats)
• Potential CVE-2021-40444 Exploitation Attempt (emerging-threats)
• REvil Kaseya Incident Malware Patterns (emerging-threats)
• Atlassian Confluence CVE-2022-26134 (emerging-threats)
• CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) (emerging-threats)
• CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) (emerging-threats)
• Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE (emerging-threats)
• DarkGate - Autoit3.EXE File Creation By Uncommon Process (emerging-threats)
• DarkGate - Autoit3.EXE Execution Parameters (emerging-threats)
• Ursnif Redirection Of Discovery Commands (emerging-threats)
• DarkGate - Drop DarkGate Loader In C:\Temp Directory (emerging-threats)
• Potential KamiKakaBot Activity - Lure Document Execution (emerging-threats)
• Linux Suspicious Child Process from Node.js - React2Shell (emerging-threats)
• Windows Suspicious Child Process from Node.js - React2Shell (emerging-threats)
• Shai-Hulud Malware Indicators - Linux (emerging-threats)
• Shai-Hulud Malware Indicators - Windows (emerging-threats)
• Elevated System Shell Spawned (threat-hunting)
• Manual Execution of Script Inside of a Compressed File (threat-hunting)
• Azure New CloudShell Created (core)
• BPFDoor Abnormal Process ID or Lock File Accessed (core)
• Suspicious Invocation of Shell via AWK - Linux (core)
• Capsh Shell Invocation - Linux (core)
• Shell Execution via Git - Linux (core)

Showing 25 of 93 community rules — the full set is tagged attack.t1059 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.