Command and Scripting Interpreter: Python, Sub-technique T1059.006 - Enterprise | MITRE ATT&CK®

Command and Scripting Interpreter: Python, Sub-technique T1059.006 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
Command and Scripting Interpreter
Python
Command and Scripting Interpreter:
Python
Other sub-techniques of Command and Scripting Interpreter (12)
ID
Name
T1059.001
PowerShell
T1059.002
AppleScript
T1059.003
Windows Command Shell
T1059.004
Unix Shell
T1059.005
Visual Basic
T1059.006
Python
T1059.007
JavaScript
T1059.008
Network Device CLI
T1059.009
Cloud API
T1059.010
AutoHotKey & AutoIT
T1059.011
Lua
T1059.012
Hypervisor CLI
Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the
python.exe
interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.
[1]
Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
ID:
T1059.006
Sub-technique of:
T1059
Tactic:
Execution
Platforms:
ESXi, Linux, Windows, macOS
Version:
1.1
Created:
09 March 2020
Last Modified:
15 April 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
G0016
APT29
APT29
has developed malware variants written in Python.
[2]
G0067
APT37
APT37
has used Python scripts to execute payloads.
[3]
G0087
APT39
APT39
has used a command line utility and a network scanner written in python.
[4]
[5]
S0234
Bandook
Bandook
can support commands to execute Python-based payloads.
[6]
G0060
BRONZE BUTLER
BRONZE BUTLER
has made use of Python-based remote access tools.
[7]
S0482
Bundlore
Bundlore
has used Python scripts to execute payloads.
[8]
S0631
Chaes
Chaes
has used Python scripts for execution and the installation of additional files.
[9]
G1021
Cinnamon Tempest
Cinnamon Tempest
has used a customized version of the
Impacket
wmiexec.py module to create renamed output files.
[10]
S0154
Cobalt Strike
Cobalt Strike
can use Python to perform execution.
[11]
[12]
[13]
[14]
S0369
CoinTicker
CoinTicker
executes a Python script to download its second stage.
[15]
S0492
CookieMiner
CookieMiner
has used python scripts on the user’s system, as well as the Python variant of the
Empire
agent, EmPyre.
[16]
C0029
Cutting Edge
During
Cutting Edge
, threat actors used a Python reverse shell and the PySoxy SOCKS5 proxy tool.
[17]
[18]
S0695
Donut
Donut
can generate shellcode outputs that execute via Python.
[19]
G0035
Dragonfly
Dragonfly
has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.
[20]
S0547
DropBook
DropBook
is a Python-based backdoor compiled with PyInstaller.
[21]
G1006
Earth Lusca
Earth Lusca
used Python scripts for port scanning or building reverse shells.
[22]
S0377
Ebury
Ebury
has used Python to implement its DGA.
[23]
S1120
FRAMESTING
FRAMESTING
is a Python web shell that can embed in the Ivanti Connect Secure CAV Python package.
[24]
S0581
IronNetInjector
IronNetInjector
can use IronPython scripts to load payloads with the help of a .NET injector.
[25]
S0387
KeyBoy
KeyBoy
uses Python scripts for installing files and performing execution.
[26]
S0276
Keydnap
Keydnap
uses Python for scripting to execute additional commands.
[27]
G0094
Kimsuky
Kimsuky
has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.
[28]
[29]
S1213
Lumma Stealer
Lumma Stealer
has used malicious Python scripts to execute payloads.
[30]
S0409
Machete
Machete
is written in Python and is used in conjunction with additional Python scripts.
[31]
[32]
[33]
G0095
Machete
Machete
used multiple compiled Python scripts on the victim’s system.
Machete
's main backdoor
Machete
is also written in Python.
[34]
[31]
[33]
S0459
MechaFlounder
MechaFlounder
uses a python-based payload.
[35]
G0069
MuddyWater
MuddyWater
has developed tools in Python including
Out1
[36]
S1189
Neo-reGeorg
Neo-reGeorg
is a Python-based web shell.
[37]
C0014
Operation Wocao
During
Operation Wocao
, threat actors' backdoors were written in Python and compiled with py2exe.
[38]
S0428
PoetRAT
PoetRAT
was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.
[39]
S0196
PUNCHBUGGY
PUNCHBUGGY
has used python scripts.
[40]
S0192
Pupy
Pupy
can use an add on feature when creating payloads that allows you to create custom Python scripts ("scriptlets") to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.
[41]
S1032
PyDCrypt
PyDCrypt
, along with its functions, is written in Python.
[42]
S0583
Pysa
Pysa
has used Python scripts to deploy ransomware.
[43]
G1039
RedCurl
RedCurl
has used a Python script to establish outbound communication and to execute commands using SMB port 445.
[44]
S1187
reGeorg
reGeorg
is a Python-based web shell.
[45]
S0332
Remcos
Remcos
uses Python scripts.
[46]
G0106
Rocke
Rocke
has used Python-based malware to install and spread their coinminer.
[47]
C0045
ShadowRay
During
ShadowRay
, threat actors used the Python
pty
module to open reverse shells.
[48]
S0692
SILENTTRINITY
SILENTTRINITY
is written in Python and can use multiple Python scripts for execution on targeted systems.
[49]
[50]
S1035
Small Sieve
Small Sieve
can use Python scripts to execute commands.
[51]
S0374
SpeakUp
SpeakUp
uses Python scripts.
[52]
G0131
Tonto Team
Tonto Team
has used Python-based tools for execution.
[53]
S0647
Turian
Turian
has the ability to use Python to spawn a Unix shell.
[54]
G0010
Turla
Turla
has used IronPython scripts as part of the
IronNetInjector
toolchain to drop payloads.
[25]
S1164
UPSTYLE
UPSTYLE
is a Python-based application.
[55]
[56]
G0128
ZIRCONIUM
ZIRCONIUM
has used Python-based implants to interact with compromised hosts.
[57]
[1]
Mitigations
ID
Mitigation
Description
M1049
Antivirus/Antimalware
Anti-virus can be used to automatically quarantine suspicious files.
M1047
Audit
Inventory systems for unauthorized Python installations.
M1038
Execution Prevention
Denylist Python where not required.
M1033
Limit Software Installation
Prevent users from installing Python where not required.
Detection
ID
Data Source
Data Component
Detects
DS0017
Command
Command Execution
Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor executed commands and arguments that may abuse Python commands and scripts for execution.
Analytic 1 - Look for unusual Python execution.
OR sourcetype=wineventlog:security OR sourcetype=sysmonEventCode=4688 OR EventCode=1 | search (process_name="python.exe" OR process_name="python3" OR process_name="python")| eval suspicious_script=if(match(command_line, ".
-c .
|.
exec.
|.
import os.
|.
eval.
|.
base64.
"), "True", "False")| where suspicious_script="True"| table _time, user, host, command_line, process_name, parent_process
DS0009
Process
Process Creation
Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor newly executed processes that may abuse Python commands and scripts for execution.
References
Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved November 17, 2024.
Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
Cybereaon Security Services Team. (n.d.). Your Data Is Under New Lummanagement: The Rise of LummaStealer. Retrieved March 22, 2025.
ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
L-Codes. (2019). Neo-reGeorg. Retrieved December 4, 2024.
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024.
xl7dev. (2016). reGeorg-master. Retrieved December 3, 2024.
Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
Lumelsly, A. et al. (2024, March 26). ShadowRay: First Known Attack Campaign Targeting AI Workloads Actively Exploited In The Wild. Retrieved December 2, 2024.
Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022.
Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
Unit 42. (2024, April 12). Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 . Retrieved January 15, 2025.
Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.