title: Python (T1059.006)
id: df00tech-t1059-006
status: experimental
description: "Adversaries may abuse Python commands and scripts for execution. Python is a cross-platform scripting language that can be executed interactively from the command-line (via python.exe/python3), via scripts (.py), or compiled into binary executables. Python's built-in libraries for file operations, networking (socket, urllib, requests), and system interaction make it a powerful tool for adversaries. Threat actors including APT31, APT37, MuddyWater, and Contagious Interview have used Python-based implants, reverse shells, and backdoors across Windows, Linux, macOS, and ESXi environments."
references:
  - https://attack.mitre.org/techniques/T1059/006/
  - https://df00tech.com/detections/T1059.006
author: df00tech
date: 2026/04/17
tags:
  - attack.t1059.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Developers and data scientists running Python scripts that import networking or subprocess libraries
  - "DevOps automation tools (Ansible, SaltStack) that execute Python for system configuration"
  - CI/CD pipelines running Python test suites with subprocess calls
  - "Monitoring and observability agents written in Python (Datadog, Checkmk)"
level: high