Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)
Reverse Shell Cheatsheet
Read our in-depth pentesting guide related to this technique
Platforms
Sub-Techniques (13)
PowerShell
T1059.002AppleScript
T1059.003Windows Command Shell
T1059.004Unix Shell
T1059.005Visual Basic
T1059.006Python
T1059.007JavaScript
T1059.008Network Device CLI
T1059.009Cloud API
T1059.010AutoHotKey & AutoIT
T1059.011Lua
T1059.012Hypervisor CLI
T1059.013Container CLI/API
Mitigations (9)
Limit Software InstallationM1033
Prevent user installation of unrequired command and scripting interpreters.
Code SigningM1045
Where possible, only permit execution of signed scripts.
Disable or Remove Feature or ProgramM1042
Disable or remove any unnecessary or unused shells or interpreters.
Execution PreventionM1038
Use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., Add-Type).(Citation: Microsoft PowerShell CLM)
Antivirus/AntimalwareM1049
Anti-virus can be used to automatically quarantine suspicious files.
Privileged Account ManagementM1026
When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.(Citation: Netspi PowerShell Execution Policy Bypass)
PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can ex
AuditM1047
Inventory systems for unauthorized command and scripting interpreter installations.
Restrict Web-Based ContentM1021
Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic and JavaScript scripts from executing potentially malicious downloaded content (Citation: win10_asr).
Threat Groups (17)
| ID | Group | Context |
|---|---|---|
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used a Perl reverse shell to communicate with C2.(Citation: ClearSky Pay2Kitten December 2020) |
| G0038 | Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware uses WMI to script data collection and command execution on the victim.(Citation: Citi... |
| G1035 | Winter Vivern | [Winter Vivern](https://attack.mitre.org/groups/G1035) used XLM 4.0 macros for initial code execution for malicious document files.(Citation: DomainTo... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) used SQL scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citatio... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and re... |
| G0053 | FIN5 | [FIN5](https://attack.mitre.org/groups/G0053) scans processes on all victim systems in the environment and uses automated scripts to pull back the res... |
| G0073 | APT19 | [APT19](https://attack.mitre.org/groups/G0073) downloaded and launched code within a SCT file.(Citation: FireEye APT19) |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used COM scriptlets to download Cobalt Strike beacons.(Citation: Cybereason Cobalt Kitty 2017) |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has used the command line for execution.(Citation: US-CERT TA18-074A) |
| G1031 | Saint Bear | [Saint Bear](https://attack.mitre.org/groups/G1031) has used the Windows Script Host (wscript) to execute intermediate files written to victim machine... |
| G0107 | Whitefly | [Whitefly](https://attack.mitre.org/groups/G0107) has used a simple remote shell tool that will call back to the C2 server and wait for commands.(Cita... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has utilized custom scripts to perform internal reconnaissance.(Citation: FireEye APT39 Jan 2019)(Citat... |
| G0004 | Ke3chang | Malware used by [Ke3chang](https://attack.mitre.org/groups/G0004) can run commands on the command-line interface.(Citation: Mandiant Operation Ke3chan... |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) has used Ruby scripts to execute payloads.(Citation: Volexity InkySquid RokRAT August 2021) |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has utilized meterpreter shellcode.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022) |
| G0124 | Windigo | [Windigo](https://attack.mitre.org/groups/G0124) has used a Perl script for information gathering.(Citation: ESET ForSSHe December 2018) |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used various types of scripting for execution.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig ... |
Associated Software (23)
| ID | Name | Type | Context |
|---|---|---|---|
| S0334 | DarkComet | Malware | [DarkComet](https://attack.mitre.org/software/S0334) can execute various types of scripts on the victim’s machine.(Citation: Malwarebytes DarkComet Ma... |
| S1227 | StarProxy | Malware | [StarProxy](https://attack.mitre.org/software/S1227) has used the command line for execution of commands.(Citation: Zscaler) |
| S0023 | CHOPSTICK | Malware | [CHOPSTICK](https://attack.mitre.org/software/S0023) is capable of performing remote command execution.(Citation: Crowdstrike DNC June 2016)(Citation:... |
| S0695 | Donut | Tool | [Donut](https://attack.mitre.org/software/S0695) can generate shellcode outputs that execute via Ruby.(Citation: Donut Github) |
| S0618 | FIVEHANDS | Malware | [FIVEHANDS](https://attack.mitre.org/software/S0618) can receive a command line argument to limit file encryption to specified directories.(Citation: ... |
| S0167 | Matryoshka | Malware | [Matryoshka](https://attack.mitre.org/software/S0167) is capable of providing Meterpreter shell access.(Citation: ClearSky Wilted Tulip July 2017) |
| S0434 | Imminent Monitor | Tool | [Imminent Monitor](https://attack.mitre.org/software/S0434) has a CommandPromptPacket and ScriptPacket module(s) for creating a remote shell and execu... |
| S0487 | Kessel | Malware | [Kessel](https://attack.mitre.org/software/S0487) can create a reverse shell between the infected host and a specified system.(Citation: ESET ForSSHe ... |
| S1151 | ZeroCleare | Malware | [ZeroCleare](https://attack.mitre.org/software/S1151) can receive command line arguments from an operator to corrupt the file system using the [RawDis... |
| S0032 | gh0st RAT | Malware | [gh0st RAT](https://attack.mitre.org/software/S0032) is able to open a remote shell to execute commands.(Citation: FireEye Hacking Team)(Citation: Ncc... |
| S0598 | P.A.S. Webshell | Malware | [P.A.S. Webshell](https://attack.mitre.org/software/S0598) has the ability to create reverse shells with Perl scripts.(Citation: ANSSI Sandworm Januar... |
| S0219 | WINERACK | Malware | [WINERACK](https://attack.mitre.org/software/S0219) can create a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows co... |
| S1110 | SLIGHTPULSE | Malware | [SLIGHTPULSE](https://attack.mitre.org/software/S1110) contains functionality to execute arbitrary commands passed to it.(Citation: Mandiant Pulse Sec... |
| S0234 | Bandook | Malware | [Bandook](https://attack.mitre.org/software/S0234) can support commands to execute Java-based payloads.(Citation: CheckPoint Bandook Nov 2020) |
| S1154 | VersaMem | Malware | [VersaMem](https://attack.mitre.org/software/S1154) was delivered as a Java Archive (JAR) that runs by attaching itself to the Apache Tomcat Java serv... |
| S0330 | Zeus Panda | Malware | [Zeus Panda](https://attack.mitre.org/software/S0330) can launch remote scripts on the victim’s machine.(Citation: GDATA Zeus Panda June 2017) |
| S1192 | NICECURL | Malware | [NICECURL](https://attack.mitre.org/software/S1192) has provided an arbitrary command execution interface.(Citation: Mandiant APT42-untangling) |
| S0374 | SpeakUp | Malware | [SpeakUp](https://attack.mitre.org/software/S0374) uses Perl scripts.(Citation: CheckPoint SpeakUp Feb 2019) |
| S0460 | Get2 | Malware | [Get2](https://attack.mitre.org/software/S0460) has the ability to run executables with command-line arguments.(Citation: Proofpoint TA505 October 201... |
| S9032 | MuddyViper | Malware | [MuddyViper](https://attack.mitre.org/software/S9032) has launched a reverse shell using a provided command line.(Citation: ESET_MuddyWater_Dec2025) |
Related CWE Weaknesses
References
- Abdou Rockikz. (2020, July). How to Execute Shell Commands in a Remote Machine in Python. Retrieved July 26, 2021.
- Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.
- Microsoft. (2020, August 21). Running Remote Commands. Retrieved July 26, 2021.
Frequently Asked Questions
What is T1059 (Command and Scripting Interpreter)?
T1059 is a MITRE ATT&CK technique named 'Command and Scripting Interpreter'. It belongs to the Execution tactic(s). Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common featu...
How can T1059 be detected?
Detection of T1059 (Command and Scripting Interpreter) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1059?
There are 9 documented mitigations for T1059. Key mitigations include: Limit Software Installation, Code Signing, Disable or Remove Feature or Program, Execution Prevention, Antivirus/Antimalware.
Which threat groups use T1059?
Known threat groups using T1059 include: Fox Kitten, Stealth Falcon, Winter Vivern, FIN7, FIN6, FIN5, APT19, APT32.