T1059.006: T1059.006

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 09/03/2020 15:38 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1059.006
Confidence: 100/100
Revoked: No
Published: 09/03/2020 15:38
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Python

Platforms

windows macos linux ESXi

Description

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the `python.exe` interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020) Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

Kill chain phases

Kill chain	Phase
mitre-attack	execution

Marking (TLP)

External references

Zscaler APT31 Covid-19 October 2020
mitre-attack (T1059.006)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (55)

DriveSurge uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Larva-24010 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Slow Pisces uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Water Saci uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Transparent Tribe uses COPPER FIELDSTONEMythic Leopard

The MITRE Corporation Confidence 100

[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ValleyRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FAMOUS CHOLLIMA uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-00 (OceanLotus) related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT31 related Violet TyphoonZIRCONIUM

The MITRE Corporation Confidence 100

[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT32 related SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT39 related ITG07Chafer

The MITRE Corporation Confidence 100

[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Astaroth related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 55

VenomRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
redux-ace uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RELOADEXT uses

Family
Pyramid C2 uses

Family
DownTroy uses

Family
UPSTYLE uses
graphflux uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SUNSPINNER uses

Family
Rhadamanthys uses

Family
Kryptina uses

Family
RustDoor uses

Family
AGENTPSD uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 79

How access to Gmail accounts is gained related

AlienVault Confidence 100 19 MITREs 2 Malwares 1 IOC 1 Observable 1 APT
macOS.Gaslight | Rust Backdoor Turns Prompt Injection on … related

AlienVault Confidence 100 19 MITREs 3 Malwares 4 IOCs 1 APT
Payouts King Ransomware Initial Access Broker Deploys New … related

AlienVault Confidence 100 21 MITREs 1 Malware 2 IOCs 1 APT
Klue Integration Abused in Salesforce Data Theft | … related

AlienVault Confidence 100 15 MITREs 2 IOCs 2 Observables
Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics … related

AlienVault Confidence 100 19 MITREs 3 Malwares 2 IOCs 2 Observables
Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets … related

20 MITREs 4 Malwares 18 Observables 1 APT
VerdantBamboo: Just Another BRICKSTORM in the Firewall related

19 MITREs 3 Malwares 32 Observables 1 APT
Inside the Cross-Platform Propagation of a New Gafgyt … related

AlienVault Confidence 100 5 CVEs 20 MITREs 2 Malwares 18 IOCs 18 Observables
A New Threat Actor Using ClickFix and Fake … related

AlienVault Confidence 100 19 MITREs 32 IOCs 32 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Smart Contracts for C&C: How ClearFake Hid in … related

19 MITREs 2 Malwares 4 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (49)

CVE-2025-9501 targets

9.0 Critical

The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute …

Attack vector: NETWORK
Published: 17/11/2025
Modified: 08/05/2026

Awaiting Analysis

CVE-2021-20090 KEV targets

Arcadyan Buffalo firmware contains a path traversal vulnerability that could allow unauthenticated, remote attackers to bypass authentication and access sensitive information. This …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2021-31207 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-34523 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2015-2051 KEV targets

8.8 High

D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.

Attack vector: Adjacent
Complexity: LOW
Published: 23/02/2015
Modified: 22/04/2026

CWE-77

CVE-2018-9995 targets

Published: 20/12/2025
Modified: 21/12/2025

CVE-2025-29927 targets

9.1 Critical

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and …

Attack vector: NETWORK
Published: 21/03/2025
Modified: 21/12/2025

Received

CVE-2025-32463 KEV targets

9.3 Critical

Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) …

Attack vector: Local
Published: 29/09/2025
Modified: 27/05/2026

Received

CVE-2017-17215 targets

Published: 20/12/2025
Modified: 20/12/2025

CVE-2025-20362 KEV targets

6.5 Medium

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2017-18368 KEV targets

Zyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user …

Published: 07/08/2023
Modified: 20/12/2025

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

← Previous

Page / 5

13–24 of 49

T1059 subtechnique-of

Command and Scripting Interpreter MITRE

Course Of Action (1)

Audit mitigates

Tool (1)

Pupy uses

The MITRE Corporation Confidence 100

[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as…

Contact About Legal notice Privacy policy Terms of use