Command and Scripting Interpreter (T1059) is a MITRE ATT&CK technique frequently exploited by adversaries to execute malicious commands and scripts within a compromised system. This technique involves the use of command-line interfaces (CLI) and scripting languages to execute arbitrary code, automate actions, and interact with system components.
By leveraging native or widely deployed scripting languages, such as PowerShell, Python, AppleScript, and others, attackers can execute malicious commands that blend into normal administrative activity, evading detection by traditional defenses. This allows them to bypass security controls, automate post-exploitation actions, and maintain persistent access without leaving traditional artifacts that would trigger alarms in security monitoring tools.
Command and scripting interpreters like PowerShell, VBScript, and Unix shells are commonly used by system administrators to automate tasks. However, adversaries exploit these tools to execute malicious code on local and remote systems. Their use can include collecting system data, running payloads, accessing sensitive information, and establishing persistence by executing malicious binaries on user logins.
These interpreters, pre-installed with most operating systems, interact directly with the OS through its API, allowing attackers to operate discreetly, bypassing weak process monitoring and evading detection. Adversaries often abuse LOLbins (Living Off the Land Binaries), legitimate system tools that can be repurposed for malicious activities, such as file execution, reconnaissance, or data exfiltration, without triggering security alerts.
While T1059 Command and Scripting Interpreter is primarily associated with the Execution tactic in the MITRE ATT&CK framework, it can also be applied across other tactics, as attackers use these native OS utilities to achieve objectives within various stages of the attack lifecycle.
In the Red Report 2026, Command and Scripting Interpreter ranked as the second most commonly observed technique. Consistently remaining in the top two positions, this highlights a clear message: adversaries heavily rely on command-line interfaces (CLI) and scripting languages to execute their attacks. This trend emphasizes a shift in adversary behavior towards stealth, evasion, and analysis-aware malware.
Adversaries are increasingly using these techniques to blend into normal system operations, evade automated detection mechanisms, and persist undetected within compromised environments. As attackers move from traditional "smash-and-grab" tactics to more sophisticated, long-lived infiltrations, the T1059 techniques are now a primary vehicle for achieving these stealthy and adaptive operations.
The Command and Scripting Interpreter technique consists of 13 sub-techniques in MITRE ATT&CK v18.
This blog serves as a hub page for the T1059 Command and Scripting technique within the MITRE ATT&CK framework. Each linked sub-technique page explains how the technique works, details adversary behavior, and includes real-world procedure examples observed in the wild, as documented in the Red Report.