T1059: Command and Scripting Interpreter

T1059 is one of the most frequently observed techniques in the MITRE ATT&CK framework because it targets something that cannot be removed: the interpreters themselves. PowerShell ships with Windows. Bash ships with Linux and macOS. Python is installed on servers, developer workstations, and cloud infrastructure worldwide. These tools exist because administrators and developers need them. Attackers exploit that same necessity.

In the Picus Red Report 2026, T1059 ranked as the second most commonly observed technique across 1.1 million analyzed malware samples, appearing in 27% of all samples — translating to nearly 295,000 instances. A separate analysis by D3 Security covering 75,000 real-world incidents found that Command and Scripting Interpreter was the single most prevalent technique by a wide margin. The technique has consistently held a top-two position in prevalence rankings for multiple years, reflecting a fundamental truth about adversary tradecraft: attackers prefer to use what is already installed rather than risk detection by deploying custom tools.

How Command and Scripting Interpreter Abuse Works

The attack pattern follows a consistent logic regardless of which interpreter is used. The adversary first needs a way to invoke the interpreter — this could be through a phishing payload that triggers a script, a web shell that passes commands to a shell, exploitation of a vulnerability that grants command execution, or social engineering that tricks a user into running a command themselves.

Once the interpreter is active, the attacker has direct access to the operating system's capabilities. They can enumerate the environment (users, network connections, installed software, security tools), download additional tools or payloads from external infrastructure, modify system configurations to establish persistence, harvest credentials from memory or files, move laterally to other systems, and exfiltrate data — all through native commands that the system was designed to execute.

What makes T1059 particularly difficult to defend against is the dual-use nature of every interpreter involved. The same PowerShell command that an attacker uses to download a malicious payload (Invoke-WebRequest) is used thousands of times daily by administrators for legitimate automation. The same bash session that an attacker uses to enumerate a compromised Linux server is indistinguishable from a legitimate SSH session. Detection cannot rely on the presence of the tool — it must rely on the context, sequence, and behavior of how the tool is used.

Sub-Techniques

As of ATT&CK v18, T1059 contains 13 sub-techniques — more than nearly any other technique in the framework. Each represents a distinct interpreter or scripting environment that adversaries have weaponized in documented operations.

T1059.001 — PowerShell

PowerShell is the most heavily abused sub-technique in the entire ATT&CK framework, with over 200 documented threat groups and malware families observed using it. It ships with every modern version of Windows and provides deep access to Windows internals, .NET libraries, the registry, WMI, COM objects, and remote execution capabilities. Adversaries use PowerShell for everything from downloading payloads (Invoke-WebRequest, New-Object Net.WebClient) to dumping credentials from LSASS memory to disabling Windows Defender exclusions via Add-MpPreference. Fileless malware campaigns frequently execute entirely within PowerShell, keeping malicious code in memory and never writing artifacts to disk. HellCat ransomware (observed March 2025) used a multi-stage PowerShell chain that created registry Run-key persistence and fetched payloads through in-memory script block execution.

T1059.002 — AppleScript

AppleScript provides automation capabilities on macOS through the osascript binary. Adversaries embed AppleScript commands in malicious installers and applications to execute payloads while bypassing Gatekeeper checks. In February 2025, a campaign distributing the Atomic macOS Stealer (AMOS) used a fake DeepSeek installer that abused AppleScript to locate, copy, and execute a hidden binary — clearing extended attributes to evade macOS security controls entirely.

T1059.003 — Windows Command Shell

cmd.exe remains one of the most frequently invoked executables in malware execution chains. While less capable than PowerShell, it is often the first interpreter launched — attackers use it to spawn PowerShell, run batch files, invoke certutil for payload download, or execute schtasks for persistence. Ransomware families including WastedLocker and Interlock use cmd.exe to run reconnaissance commands like whoami, arp -a, and systeminfo before deploying their encryption payloads.

T1059.004 — Unix Shell

Bash, sh, zsh, and other Unix shell variants are the primary execution environment on Linux, macOS, and ESXi systems. Adversaries use shell scripts for cryptomining campaigns (cron persistence, miner deployment), botnet operations, and targeted espionage. In 2025, UNC3886 deployed custom TINYSHELL-based backdoors on Juniper MX routers running FreeBSD, using shell commands to decode base64-encoded payloads, inject malicious code into legitimate processes, and systematically disable logging across the device — all through the router's native shell interface.

T1059.005 — Visual Basic

VBScript and VBA macros have been foundational malware delivery mechanisms for decades. While Microsoft's decision to block macros by default in Office documents reduced their effectiveness as initial access vectors, adversaries adapted by shifting to ISO files, LNK shortcuts, and OneNote attachments that invoke VBScript through alternative paths. VBScript remains active in ClickFix campaigns where obfuscated .vbs files serve as intermediate stages in multi-step infection chains.

T1059.006 — Python

Python is installed on many servers and developer workstations, and its extensive standard library makes it useful for adversaries across every attack phase. Threat actors use Python for reverse shells, credential theft, data exfiltration, and as a runtime for deploying remote access tools. In February 2026, a ClickFix variant called CrashFix deployed a portable WinPython environment alongside a Python-based RAT (ModeloRAT) that established persistence through registry keys and communicated with C2 over HTTP.

T1059.007 — JavaScript/JScript

JavaScript and JScript execute through wscript.exe, cscript.exe, and mshta.exe on Windows systems. Adversaries deliver malicious .js and .hta files through phishing attachments and drive-by downloads, using them to download and execute secondary payloads. The ClickFix technique frequently abuses mshta.exe to execute payloads disguised with file extensions like .mp3, .jpg, or .html.

T1059.008 — Network Device CLI

Network devices (routers, switches, firewalls) provide their own command-line interfaces for configuration and management. Adversaries who gain access to these CLIs — often through stolen credentials or default accounts — can modify routing tables, disable access controls, create backdoor accounts, and intercept traffic. Volt Typhoon has been documented using Cisco IOS CLI commands to modify router configurations on compromised U.S. critical infrastructure devices.

T1059.009 — Cloud API

Cloud provider CLIs and APIs (AWS CLI, Azure PowerShell, gcloud) enable adversaries to interact with cloud infrastructure using stolen credentials or compromised service accounts. A single authenticated CLI session can enumerate storage buckets, spin up compute instances for cryptomining, exfiltrate database snapshots, and modify IAM policies.

T1059.010 — AutoHotKey and AutoIT

AutoHotKey and AutoIT are Windows automation frameworks that can be compiled into standalone executables. This makes them attractive for adversaries because the compiled binary does not require an external interpreter — it runs independently, and the automation logic is embedded within the executable. Threat actors use these tools to automate GUI interactions, keylogging, and payload deployment while evading command-line monitoring.

T1059.011 — Lua

Lua is a lightweight scripting language commonly embedded in gaming engines and configuration management tools. In 2024-2025, campaigns distributed Lua-based malware disguised as game cheat tools, bundling a Lua runtime with obfuscated scripts that executed credential-stealing payloads. Enterprise usage remains limited, but Lua's portability and ability to be embedded in legitimate applications makes it a viable execution vehicle.

T1059.012 — Hypervisor CLI

VMware ESXi and other hypervisor platforms provide administrative CLIs that adversaries target to compromise virtual infrastructure at the host level. UNC3886 has been documented using hypervisor CLI commands to access guest virtual machines, deploy backdoors, and tamper with forensic artifacts — operations that are invisible to security tools running inside the guest VMs.

T1059.013 — Container CLI/API

Added in ATT&CK v18, this sub-technique covers the abuse of Docker CLI and Kubernetes APIs to execute commands inside containers, steal cloud credentials, and move laterally across containerized environments. As organizations increasingly adopt container orchestration, this attack surface continues to expand.

Real-World Case Studies

ClickFix — Social Engineering Meets PowerShell Execution

ClickFix represents one of the most significant evolutions in T1059 abuse during 2025-2026. Rather than exploiting a software vulnerability, ClickFix campaigns trick users into executing malicious commands themselves. The attack begins with a web page that presents a fake CAPTCHA, error message, or verification prompt. When the user follows the on-screen instructions — typically pressing a key combination like Win+R and pasting clipboard content — they unknowingly execute a PowerShell command that downloads and installs malware.

The technique is devastatingly effective because the user initiates the execution, bypassing endpoint protections that would block automated script launches. Microsoft documented the technique being used to deliver Lumma Stealer, Latrodectus, NetSupport RAT, and other payloads across campaigns spanning multiple industries. In February 2026, a variant shifted from the Windows Run dialog to Windows Terminal, using Win+X then I to launch a privileged terminal session that further blends into legitimate administrative workflows. Another variant called FileFix (disclosed June 2025) uses Windows File Explorer's address bar instead of the Run dialog, making the malicious execution appear as if the user is simply opening a file.

ClickFix campaigns have been attributed to both financially motivated cybercriminals and nation-state actors. North Korean operators adapted it for fake job interview campaigns targeting cryptocurrency firms, while MuddyWater (Iran-linked) deployed it against Israeli organizations using ClickFix-style lures that initiated multi-stage PowerShell infection chains delivering a custom RAT.

UNC3886 — Shell Scripting on Juniper Routers

In mid-2024, Google Mandiant discovered that the China-nexus espionage group UNC3886 had deployed six distinct TINYSHELL-based backdoors on Juniper Networks MX routers running end-of-life Junos OS. The operation demonstrated how command and scripting interpreter abuse extends beyond traditional endpoints to core networking infrastructure.

The attackers gained initial access through compromised TACACS+ authentication services and terminal servers, entering the FreeBSD shell from the Junos OS CLI. From the shell, they used base64 decoding and tar extraction to deploy their backdoors, then leveraged process injection (CVE-2025-21590) to bypass the router's Veriexec file integrity protection system. Each backdoor included an embedded script that systematically disabled logging — running sed commands to strip entries from /var/log/interactive-commands, /var/log/messages, and shell history files — ensuring that forensic analysis would find no trace of the intrusion.

The operation was characterized by its exclusive reliance on native shell commands and built-in Unix utilities rather than custom exploitation tools. UNC3886 has previously used identical scripting techniques against Fortinet (CVE-2022-41328) and VMware infrastructure, establishing a pattern of targeting the CLI environments embedded in network and virtualization appliances that lack traditional endpoint detection coverage.

HellCat Ransomware — Multi-Stage PowerShell Persistence

In March 2025, researchers analyzed HellCat ransomware and documented a multi-stage PowerShell execution chain designed to establish persistent access while evading detection. The chain began with a script that located the full path to powershell.exe, constructed a hidden execution command using Invoke-WebRequest to download remote .ps1 content, and then dynamically created script blocks for in-memory execution — never writing the payload to disk.

To ensure persistence, the script wrote the constructed command into the Windows registry at HKCU\Software\Microsoft\Windows\CurrentVersion\Run under the value name "maintenance," guaranteeing re-execution at every user login. This approach combined T1059.001 (PowerShell execution) with T1547.001 (registry Run key persistence) in a single automated chain that re-established C2 communication after every reboot.

Mustang Panda — PowerShell for Credential Dumping

In August 2025, Picus Security analyzed a Mustang Panda intrusion in which the threat actor used PowerShell to dump LSASS memory via Mimikatz commands. The sequence used privilege::debug to obtain the necessary debug privilege for reading protected process memory, followed by sekurlsa::logonPasswords to parse LSASS and extract NTLM hashes, Kerberos tickets, and cached credentials. The harvested credentials were immediately usable for pass-the-hash lateral movement and pass-the-ticket domain escalation — all executed through PowerShell without deploying a standalone Mimikatz binary.

ValleyRAT — PowerShell for Defense Evasion

In November 2025, analysis of the ValleyRAT malware revealed it injecting a PowerShell command to add a Windows Defender exclusion for the drive containing the malware. The command used Add-MpPreference -ExclusionPath to register the path, causing Defender to skip real-time scanning of all files and processes under that location. The injection was executed via a remote shell mechanism using Invoke-Command, allowing the attacker to silently disable endpoint protection from a distance while the command itself appeared as a legitimate administrative action.

Detection Strategies

Detecting T1059 abuse requires monitoring the interpreters themselves rather than looking for specific malware signatures. The challenge is separating malicious usage from the enormous volume of legitimate command-line activity in any environment. Detection strategies must focus on behavioral anomalies: what is being executed, by whom, from where, and in what sequence.

Key Windows Event IDs

Event ID	Source	What It Captures
4104	PowerShell Script Block	Captures the full content of executed PowerShell scripts, including deobfuscated versions — the single most valuable data source for PowerShell threat detection
4103	PowerShell Module	Logs module loading and pipeline execution details — captures cmdlet names and parameters even when scripts are obfuscated
4688	Security	Process creation with command-line arguments — essential for detecting suspicious interpreter invocations and parent-child process relationships
1	Sysmon	Process creation with hashes, parent process, and user context — provides richer metadata than native Event ID 4688
3	Sysmon	Network connections by process — detects scripts making outbound HTTP requests to download payloads or communicate with C2
800	PowerShell Operational	Pipeline execution details — supplements script block logging with execution context

Detection Queries

The following queries target behavioral patterns characteristic of malicious interpreter usage. Since the interpreters themselves are legitimate, detection depends on identifying anomalous context — unusual parent processes, encoded commands, suspicious network connections, and sequences that indicate attack progression.

# Detect encoded PowerShell execution (common in ClickFix and malware)
# Windows Security Log — Event ID 4688 with command line auditing enabled

index=wineventlog EventCode=4688
    (CommandLine="*-encodedcommand*" OR CommandLine="*-enc *"
     OR CommandLine="*-e *" OR CommandLine="*FromBase64String*"
     OR CommandLine="*[Convert]::*")
    (NewProcessName="*powershell*" OR NewProcessName="*pwsh*")
| stats count, earliest(_time) as first_seen, latest(_time) as last_seen
  by Computer, SubjectUserName, ParentProcessName, CommandLine
| where count > 1
| sort - count

# Detect suspicious script interpreter parent-child chains
# Sysmon Event ID 1 — identify interpreters spawned by unusual parents

index=sysmon EventCode=1
    (Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
     OR Image="*\\cmd.exe" OR Image="*\\wscript.exe"
     OR Image="*\\cscript.exe" OR Image="*\\mshta.exe")
    (ParentImage="*\\explorer.exe" OR ParentImage="*\\wt.exe"
     OR ParentImage="*\\outlook.exe" OR ParentImage="*\\winword.exe"
     OR ParentImage="*\\excel.exe" OR ParentImage="*\\msedge.exe"
     OR ParentImage="*\\chrome.exe")
| stats count, values(CommandLine) as commands
  by Computer, User, ParentImage, Image
| where count > 0
| sort - count

# Detect PowerShell making outbound web requests (payload download)
# Sysmon Event ID 3 — network connections from script interpreters

index=sysmon EventCode=3
    (Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
     OR Image="*\\wscript.exe" OR Image="*\\mshta.exe"
     OR Image="*\\python.exe" OR Image="*\\python3.exe")
    Initiated="true"
    NOT DestinationIp IN ("10.*", "172.16.*", "192.168.*", "127.*")
| stats count, values(DestinationIp) as dest_ips,
        values(DestinationPort) as dest_ports
  by Computer, User, Image
| where count > 2
| sort - count

Linux and macOS Detection

On Linux and macOS systems, detection focuses on process auditing, shell history monitoring, and file integrity checks:

# Detect suspicious shell commands on Linux (auditd)
# Look for reconnaissance, credential access, and payload download patterns

type=EXECVE
    (a0="curl" OR a0="wget" OR a0="python" OR a0="python3" OR a0="perl")
    (a1="*http*" OR a1="*-e*" OR a1="*import*socket*")

# Also monitor for:
# - base64 decoding piped to shell: echo ... | base64 -d | bash
# - cron modifications: crontab -l, crontab -e
# - history deletion: history -c, unset HISTFILE
# - log tampering: sed -i on /var/log/* files

Known Threat Actors Using T1059

T1059 has the broadest documented threat actor usage of any technique in the ATT&CK framework. The following represents a selection of prominent groups — the full list exceeds 200 entries across nation-state and criminal operations:

Threat Actor	Primary Sub-Techniques	Notable Context
APT28 (Fancy Bear)	PowerShell, Unix Shell	Extensively uses PowerShell for post-exploitation and lateral movement in government and political targets
APT41 (Wicked Panda)	PowerShell, Windows Command Shell, Python	Combines PowerShell execution with supply chain compromise and rootkit deployment
UNC3886	Unix Shell, Hypervisor CLI, Network Device CLI	Targets Juniper routers, VMware ESXi, and Fortinet devices through native CLI abuse; confirmed active in 2025
MuddyWater	PowerShell, Windows Command Shell	Deployed ClickFix-style lures against Israeli organizations delivering PowerShell-based RATs
Mustang Panda	PowerShell, Windows Command Shell	Uses PowerShell for credential dumping via Mimikatz and lateral movement via SMB execution
APT42 (Charming Kitten)	PowerShell	Downloads and executes PowerShell payloads as secondary stages in targeted espionage operations
Scattered Spider	PowerShell, Python	Uses PowerShell and Python for post-compromise activity following social engineering-based access
Lazarus Group	PowerShell, Unix Shell	Adapted ClickFix technique for fake job interview campaigns targeting cryptocurrency firms
Qilin Ransomware	PowerShell, Windows Command Shell	Uses PowerShell alongside BYOVD (Bring Your Own Vulnerable Driver) to disable EDR before encryption
RansomHub	PowerShell	Uses PowerShell to delete volume shadow copies prior to ransomware deployment

Defensive Recommendations

1. Enable comprehensive script logging: Deploy PowerShell Script Block Logging (Event ID 4104), Module Logging (Event ID 4103), and Transcription Logging across all Windows endpoints. These provide the deobfuscated content of every executed script — the single most effective detection data source for T1059.001. Ensure logs are forwarded to your SIEM in real time.
2. Remove PowerShell v2: PowerShell v2 does not support Script Block Logging, Module Logging, or Constrained Language Mode. Adversaries can invoke it explicitly (powershell -version 2) to bypass all modern logging. Remove the Windows feature entirely: Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2.
3. Enforce PowerShell Constrained Language Mode: CLM restricts access to .NET types, COM objects, and sensitive APIs while allowing standard administrative commands. When combined with application control policies (AppLocker or WDAC), it prevents attackers from using PowerShell as a general-purpose execution engine while preserving administrative functionality.
4. Implement application control: Windows Defender Application Control (WDAC) or AppLocker policies can restrict which scripts and binaries are allowed to execute. Block unsigned scripts, restrict wscript.exe and cscript.exe execution except through approved workflows, and prevent mshta.exe from executing content from external URLs.
5. Monitor command-line process creation: Enable command-line auditing in Windows Security Event 4688 and deploy Sysmon for richer process creation telemetry. Establish baselines for normal interpreter usage and alert on deviations — encoded commands, unusual parent-child relationships, off-hours execution, and scripts making outbound network connections.
6. Restrict interpreter access on servers: On production servers and critical infrastructure, limit which accounts can execute PowerShell, Python, or other interpreters through Just Enough Administration (JEA) and role-based access controls. Service accounts should not have interactive shell access.
7. Address the ClickFix threat vector: Train employees to never paste commands from websites into terminals, the Run dialog, or File Explorer. Implement browser isolation policies that prevent clipboard injection from untrusted sites. Monitor for powershell.exe or cmd.exe spawned directly from explorer.exe with network connections occurring immediately after — this pattern is characteristic of ClickFix execution.
8. Secure network device CLIs: Implement multi-factor authentication for all router, switch, and firewall management interfaces. Restrict shell access to named administrator accounts. Deploy centralized logging for all network device CLI sessions and monitor for configuration changes, new account creation, and logging modifications.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1059
Technique Name	Command and Scripting Interpreter
Tactics	Execution
Platforms	Windows, Linux, macOS, Network, Containers, IaaS
Sub-Techniques	T1059.001 PowerShell, T1059.002 AppleScript, T1059.003 Windows Command Shell, T1059.004 Unix Shell, T1059.005 Visual Basic, T1059.006 Python, T1059.007 JavaScript/JScript, T1059.008 Network Device CLI, T1059.009 Cloud API, T1059.010 AutoHotKey & AutoIT, T1059.011 Lua, T1059.012 Hypervisor CLI, T1059.013 Container CLI/API
Data Sources	Command Execution, Process Creation, Module Load, Script Execution, Network Traffic
Requires Permissions	User (varies by interpreter and target system)
MITRE Reference	attack.mitre.org/techniques/T1059

Sources and References

• MITRE ATT&CK — T1059 Command and Scripting Interpreter: attack.mitre.org
• Picus Security — Red Report 2026 and T1059 Sub-Technique Analysis: picussecurity.com
• Microsoft Threat Intelligence — ClickFix Analysis (August 2025): microsoft.com
• Google Mandiant — Ghost in the Router: UNC3886 Targets Juniper Routers: cloud.google.com
• FortiGuard Labs — From ClickFix to Command: A Full PowerShell Attack Chain: fortinet.com
• CIS — ClickFix: An Adaptive Social Engineering Technique: cisecurity.org
• CyberDesserts — Cyber Threat Landscape Report February 2026: cyberdesserts.com