T1059.006: T1059.006

Search IOCs, vulnerabilities, APT…

216.73.216.36

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 09/03/2020 15:38 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1059.006
Confidence: 100/100
Revoked: No
Published: 09/03/2020 15:38
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Python

Platforms

windows macos linux ESXi

Description

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the `python.exe` interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020) Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

Kill chain phases

Kill chain	Phase
mitre-attack	execution

Marking (TLP)

External references

Zscaler APT31 Covid-19 October 2020
mitre-attack (T1059.006)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (55)

DriveSurge uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Larva-24010 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Slow Pisces uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Water Saci uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Transparent Tribe uses COPPER FIELDSTONEMythic Leopard

The MITRE Corporation Confidence 100

[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ValleyRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FAMOUS CHOLLIMA uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-00 (OceanLotus) related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT31 related Violet TyphoonZIRCONIUM

The MITRE Corporation Confidence 100

[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT32 related SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT39 related ITG07Chafer

The MITRE Corporation Confidence 100

[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Astaroth related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 55

VenomRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
redux-ace uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RELOADEXT uses

Family
Pyramid C2 uses

Family
DownTroy uses

Family
UPSTYLE uses
graphflux uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SUNSPINNER uses

Family
Rhadamanthys uses

Family
Kryptina uses

Family
RustDoor uses

Family
AGENTPSD uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 79

macOS.Gaslight | Rust Backdoor Turns Prompt Injection on … related

AlienVault Confidence 100 19 MITREs 3 Malwares 4 IOCs 1 APT
Payouts King Ransomware Initial Access Broker Deploys New … related

AlienVault Confidence 100 21 MITREs 1 Malware 2 IOCs 1 APT
Klue Integration Abused in Salesforce Data Theft | … related

AlienVault Confidence 100 15 MITREs 2 IOCs 2 Observables
Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics … related

AlienVault Confidence 100 19 MITREs 3 Malwares 2 IOCs 2 Observables
Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets … related

20 MITREs 4 Malwares 18 Observables 1 APT
VerdantBamboo: Just Another BRICKSTORM in the Firewall related

19 MITREs 3 Malwares 32 Observables 1 APT
Inside the Cross-Platform Propagation of a New Gafgyt … related

AlienVault Confidence 100 5 CVEs 20 MITREs 2 Malwares 18 IOCs 18 Observables
A New Threat Actor Using ClickFix and Fake … related

AlienVault Confidence 100 19 MITREs 32 IOCs 32 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Smart Contracts for C&C: How ClearFake Hid in … related

19 MITREs 2 Malwares 4 Observables
From edge appliance to enterprise compromise: Multi-stage Linux … related

5 CVEs 14 MITREs 2 Malwares 5 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (49)

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

CVE-2017-5638 KEV targets

9.8 Critical

Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 11/03/2017
Modified: 22/04/2026

CWE-755

CVE-2025-20333 KEV targets

9.9 Critical

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2021-4043 targets

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2024-2012 targets

9.1 Critical

vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway that if exploited an attacker could use to allow unintended commands or code …

Published: 11/06/2024
Modified: 11/06/2024

Received

CVE-2017-7921 KEV targets

9.8 Critical

Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain …

Attack vector: NETWORK
Complexity: LOW
EPSS: 0.9410 (P99.9%)
Published: 06/05/2017
Modified: 22/04/2026

CWE-287

CVE-2025-53521 KEV targets

8.7 High

When a BIG-IP APM Access Policy is configured on a virtual server, undisclosed traffic can cause TMM to terminate. Note: Software versions …

Attack vector: Network
Complexity: Low
Published: 15/10/2025
Modified: 04/04/2026

CWE-770 CWE-121 Received

CVE-2026-39987 KEV targets

9.3 Critical

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication …

Attack vector: Network
Complexity: Low
Published: 09/04/2026
Modified: 29/04/2026

CWE-306 Received

CVE-2024-21893 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) …

Attack vector: Network
Published: 31/01/2024
Modified: 27/05/2026

CVE-2018-10561 KEV targets

Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.

Published: 31/03/2022
Modified: 20/12/2025

CVE-2022-30075 targets

8.8 High

In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code …

Attack vector: NETWORK
Published: 09/06/2022
Modified: 21/12/2025

← Previous

Page / 5

25–36 of 49

T1059 subtechnique-of

Command and Scripting Interpreter MITRE

Course Of Action (1)

Audit mitigates

Tool (1)

Pupy uses

The MITRE Corporation Confidence 100

[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as…

Contact About Legal notice Privacy policy Terms of use