title: Command and Scripting Interpreter (T1059)
id: df00tech-t1059
status: experimental
description: "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic. Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands."
references:
  - https://attack.mitre.org/techniques/T1059/
  - https://df00tech.com/detections/T1059
author: df00tech
date: 2026/04/16
tags:
  - attack.t1059
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate Office macros that invoke scripting engines for approved business automation
  - "WMI-based management tools (SCCM, Intune) that spawn script interpreters for system configuration"
  - Svchost launching script interpreters as part of scheduled tasks or Windows Update processes
level: high