T1059Command and Scripting Interpreter
T1059 — Command and Scripting Interpreter is a MITRE ATT&CK technique in the Execution tactic. Clankerusecase tracks 99 detection use cases covering it and 40 threat-intel articles citing it.
Execution
99Use cases
40Articles
13Sub-techniques
1Tactic
Sub-techniques (13)
T1059.002 · AppleScriptT1059.010 · AutoHotKey & AutoITT1059.009 · Cloud APIT1059.013 · Container CLI/APIT1059.012 · Hypervisor CLIT1059.007 · JavaScriptT1059.011 · LuaT1059.008 · Network Device CLIT1059.001 · PowerShellT1059.006 · PythonT1059.004 · Unix ShellT1059.005 · Visual BasicT1059.003 · Windows Command Shell
Use cases covering this technique (99)
Spring4Shell RCE attempts (CVE-2022-22963) Command injection exploited (WAF detection) Falco runtime-security alert Log4Shell RCE attempts (CVE-2021-44228) [WEEKLY] Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) [WEEKLY] Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request [WEEKLY] Internet-facing server process spawns interpreter then beacons to first-seen external host within 5 minutes [WEEKLY] Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution [WEEKLY] Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain [WEEKLY] Public-Facing App Runtime Spawns Shell, LOLBin, or Container-Control Tool [WEEKLY] Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain [WEEKLY] Service-process parent spawns subprocess containing CLI-argument-injection tokens [WEEKLY] Web App Interpreter (Node/Python/Java/PHP) Spawns Shell or Net-Download LOLBin on Internet-Facing Host [WEEKLY] Web-Server Process Post-Exploit Anchor: Plugin/Extension RCE Leading to Shell Spawn or Webroot Script Drop Cisco IOS XE Guestshell Activation and Destroy Cisco IOS XE Request Platform Package Describe Shell Pattern ESXi Reverse Shell Patterns MCP Filesystem Server Suspicious Extension Write MCP Prompt Injection Ollama Suspicious Prompt Injection Jailbreak Cisco NVM - Installation of Typosquatted Python Package Cisco NVM - Suspicious File Download via Headless Browser Excessive distinct processes from Windows Temp Excessive number of taskhost processes Living Off The Land Detection Log4Shell CVE-2021-44228 Exploitation Process Writing DynamicWrapperX Wermgr Process Spawned CMD Or Powershell Process Windows Apache Benchmark Binary Windows AutoIt3 Execution Windows Command and Scripting Interpreter Hunting Path Traversal Windows Command and Scripting Interpreter Path Traversal Exec Windows Common Abused Cmd Shell Risk Behavior Windows Defender ASR Audit Events Windows Defender ASR Block Events Windows Defender ASR Rules Stacking Windows Identify Protocol Handlers Windows PaperCut NG Spawn Shell Windows Process Accessing Windows Recall Directory Windows Process Execution From RDP Share Windows Remote Image Load Windows Scheduled Task Service Spawned Shell Windows Suspicious VMWare Tools Child Process Windows TeamCity Payload Execution from Temp Directory Windows TeamCity Plugin Installed Windows WinDBG Spawning AutoIt3 Windows XLL File Creation Outside of Typical Location Cisco Secure Firewall - Binary File Type Download Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt Cisco Secure Firewall - High Volume of Intrusion Events Per Host Cisco Secure Firewall - Possibly Compromised Host Cisco Secure Firewall - Privileged Command Execution via HTTP Cisco Secure Firewall - Wget or Curl Download Detect Outbound LDAP Traffic Juniper Networks Remote Code Execution Exploit Detection CHCP Command Execution Detect suspicious processnames using pretrained model in DSDL [LLM] Implicit node-gyp rebuild from binding.gyp spawns suspicious build child [LLM] Machine-cadence post-auth FortiGate CLI/API calls in single session (MCP-orchestrated) [LLM] FireAnt Metakit.exe spawns unsigned setup.exe from update path (SPECTRALVIPER supply-chain delivery) [LLM] SPECTRALVIPER known SHA1 sample sighting (ESET 2024-2026 IOC bundle) [LLM] Ivanti Sentry command injection via /mics/api/v2/sentry/mics-config/handleMessage (CVE-2026-10520) [LLM] Cargo build script spawning git with onering's exfil --pretty=format JSON [LLM] DHCP Client svchost anomalous child process (CVE-2026-44815 post-exploit) [LLM] HEEx / Elixir Kernel injection markers in BEAM-spawned process command line (CVE-2026-8467) [LLM] LiteLLM CVE-2026-42271 MCP test endpoint POST (preview command injection) [LLM] PHPSpreadsheet phar:/// three-slash wrapper in HTTP request (CVE-2026-45034) [LLM] Stata binary spawning OS shell (CVE-2026-47708 stata-mcp log_file_name injection) [LLM] Stata-authored log file written with shell metacharacters or path traversal in filename (CVE-2026-47708) [LLM] Jupyter Enterprise Gateway /api/kernels POST with KERNEL_* YAML-injection payload [LLM] Maven/Gradle build log file containing jqwik prompt-injection directive [LLM] Node.js process spawns shell or LOLBin — vm2 sandbox escape post-exploitation (CVE-2026-47210) [LLM] Node.exe spawning OS shell after vm2 sandbox exploitation [LLM] Node.js web process spawning shell (LiquidJS RCE post-exploit) [LLM] Yamcs MDB algorithm override PATCH with Java Runtime payload [LLM] Laravel-Lang stealer file drop in .laravel_locale temp directory [LLM] TamperedChef trojanized-app activation via --cm / --enableupdate / --fullupdate flags [LLM] GlassFish java process spawning command shell (CVE-2026-2587 RCE) [LLM] Inbound HTTP request with Camel-internal header or query param to CXF/Knative endpoint (CVE-2026-47323) [LLM] Node.js process spawning shell or system utility — likely vm2 sandbox escape [LLM] Marten CVE-2026-45288 regConfig SQL injection attempt in web traffic [LLM] Marten CVE-2026-45288 injection observed executing in PostgreSQL audit log [LLM] MCPHub tool execution via spoofed identity — POST to /<user>/messages with JSON-RPC body [LLM] Post-exploit RCE: node.js (n8n) spawning shell or scripting interpreter [LLM] Flowise node.exe Spawning OS Shell or Command-Line Utility - Post-Exploit RCE (CVE-2026-46442) [LLM] Thymeleaf SpEL tab-character sandbox bypass payload in HTTP request (CVE-2026-40478) [LLM] npm/node postinstall hook spawning interpreter and reaching new C2 host (Axios-style dropper) [LLM] Compromised trivy binary (v0.69.4-v0.69.6) execution by SHA1 hash [LLM] Storybook portable-stories RCE — vitest/node spawning shell, recon or secret-grep child (CVE-2026-27148) [LLM] npm install referencing GitHub commit SHA (github:owner/repo#sha) — dangling-commit supply chain hunt [LLM] AI CLI weaponized for recon — claude/gemini/q invoked under npm install lineage [LLM] SKILL.md written to ~/.claude/skills/ or ~/.openclaw/skills/ (agent-skill install) [LLM] Prompt-injection markers (base64, Unicode tags, 'ignore previous instructions') in SKILL.md content [LLM] AI CLI tool (claude/gemini/q) spawned non-interactively by node/npm/npx for recon [LLM] Process crash with faulting module WindowsCodecs.dll (CVE-2025-50165 exploit attempt) [LLM] Node.js process downloads payload via curl/wget (React2Shell SNOWLIGHT/VShell deployment) [LLM] WinRAR CVE-2025-8088 path traversal — payload dropped to user Startup folder [LLM] Go typosquat module reference: github.com/boltdb-go/bolt in process or build telemetry [LLM] npm/yarn/pnpm install of compromised @lottiefiles/lottie-player versions 2.0.5-2.0.7Articles citing this technique (40)
crit [GHSA / CRITICAL] CVE-2026-44789: n8n: HTTP Request Node Pagination Prototype Pollution to RCE art-301