T1059.006: T1059.006

Search IOCs, vulnerabilities, APT…

216.73.217.80

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 09/03/2020 15:38 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1059.006
Confidence: 100/100
Revoked: No
Published: 09/03/2020 15:38
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Python

Platforms

windows macos linux ESXi

Description

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the `python.exe` interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020) Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

Kill chain phases

Kill chain	Phase
mitre-attack	execution

Marking (TLP)

External references

Zscaler APT31 Covid-19 October 2020
mitre-attack (T1059.006)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (55)

SVF Team related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Star Blizzard related SEABORGIUMCallisto Group

The MITRE Corporation Confidence 100

[Star Blizzard](https://attack.mitre.org/groups/G1033) is a cyber espionage and influence group originating in Russia that has been active since at least 2019. [Star Blizzard](https://attack.mitre.org/groups/G1033) campaigns align closely with Russian state…

First seen 01/01/1970 · Last seen 16/11/5138 ·
StormBamboo related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sukob related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA415 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA4557/FIN6 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TeamPCP related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

49–55 of 55

CryptoAITools uses

Family
DcRAT uses

Family
pyshellfox uses

Family
NukeSped uses

Family
ClipBanker uses

Family
CivetQ uses

Family
Phoenix uses

Family
graphnode uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DinDoor uses

Family
RDAT - S0495 uses

Family
MHDDOS uses

Family
PebbleDash uses

Family

← Previous

Page / 7

37–48 of 79

How access to Gmail accounts is gained related

AlienVault Confidence 100 19 MITREs 2 Malwares 1 IOC 1 Observable 1 APT
macOS.Gaslight | Rust Backdoor Turns Prompt Injection on … related

AlienVault Confidence 100 19 MITREs 3 Malwares 4 IOCs 1 APT
Payouts King Ransomware Initial Access Broker Deploys New … related

AlienVault Confidence 100 21 MITREs 1 Malware 2 IOCs 1 APT
Klue Integration Abused in Salesforce Data Theft | … related

AlienVault Confidence 100 15 MITREs 2 IOCs 2 Observables
Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics … related

AlienVault Confidence 100 19 MITREs 3 Malwares 2 IOCs 2 Observables
Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets … related

20 MITREs 4 Malwares 18 Observables 1 APT
VerdantBamboo: Just Another BRICKSTORM in the Firewall related

19 MITREs 3 Malwares 32 Observables 1 APT
Inside the Cross-Platform Propagation of a New Gafgyt … related

AlienVault Confidence 100 5 CVEs 20 MITREs 2 Malwares 18 IOCs 18 Observables
A New Threat Actor Using ClickFix and Fake … related

AlienVault Confidence 100 19 MITREs 32 IOCs 32 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Smart Contracts for C&C: How ClearFake Hid in … related

19 MITREs 2 Malwares 4 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (49)

CVE-2025-9501 targets

9.0 Critical

The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute …

Attack vector: NETWORK
Published: 17/11/2025
Modified: 08/05/2026

Awaiting Analysis

CVE-2021-20090 KEV targets

Arcadyan Buffalo firmware contains a path traversal vulnerability that could allow unauthenticated, remote attackers to bypass authentication and access sensitive information. This …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2021-31207 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-34523 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2015-2051 KEV targets

8.8 High

D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.

Attack vector: Adjacent
Complexity: LOW
Published: 23/02/2015
Modified: 22/04/2026

CWE-77

CVE-2018-9995 targets

Published: 20/12/2025
Modified: 21/12/2025

CVE-2025-29927 targets

9.1 Critical

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and …

Attack vector: NETWORK
Published: 21/03/2025
Modified: 21/12/2025

Received

CVE-2025-32463 KEV targets

9.3 Critical

Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) …

Attack vector: Local
Published: 29/09/2025
Modified: 27/05/2026

Received

CVE-2017-17215 targets

Published: 20/12/2025
Modified: 20/12/2025

CVE-2025-20362 KEV targets

6.5 Medium

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2017-18368 KEV targets

Zyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user …

Published: 07/08/2023
Modified: 20/12/2025

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

← Previous

Page / 5

13–24 of 49

T1059 subtechnique-of

Command and Scripting Interpreter MITRE

Course Of Action (1)

Audit mitigates

Tool (1)

Pupy uses

The MITRE Corporation Confidence 100

[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as…

Contact About Legal notice Privacy policy Terms of use